Frank Bonnet <bonnetf_at_bart.esiee.fr> writes: > if in any file of the pam.d directory I replace > the original line : > > auth required pam_unix.so no_warn try_first_pass nullok > > by the following > > auth sufficient /usr/local/lib/pam_ldap.so > > for example in the /etc/pam.d/su file I can perform the "su -" > command WITHOUT TYPING ANY PASSWORD from a normal user login. If pam_ldap is the last line, it should be "required", not "sufficient"; alternatively it should be followed by pam_deny. This is (imperfectly) documented in /etc/pam.d/README: Note that having a "sufficient" module as the last entry for a particular service and module type may result in surprising behaviour. To get the intended semantics, add a "required" entry listing the pam_deny module at the end of the chain. Solaris introduced the "binding" flag to try to alleviate this problem. OpenPAM supports "binding", but does not document it anywhere. DES -- Dag-Erling Smorgrav - des_at_ofug.orgReceived on Thu May 22 2003 - 13:26:24 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:09 UTC