Re: 5.1 beta2 still in trouble with pam_ldap

From: Gordon Tetlow <gordont_at_gnf.org>
Date: Thu, 22 May 2003 15:48:50 -0700
On Fri, May 23, 2003 at 12:26:20AM +0200, Dag-Erling Smorgrav wrote:
> Frank Bonnet <bonnetf_at_bart.esiee.fr> writes:
> > if in any file of the pam.d directory I replace
> > the original line :
> >
> > auth           required        pam_unix.so             no_warn try_first_pass nullok
> >
> > by the following 
> >
> > auth            sufficient      /usr/local/lib/pam_ldap.so
> >
> > for example in the /etc/pam.d/su file I can perform the "su -"
> > command WITHOUT TYPING ANY PASSWORD from a normal user login.
> 
> If pam_ldap is the last line, it should be "required", not
> "sufficient"; alternatively it should be followed by pam_deny.  This
> is (imperfectly) documented in /etc/pam.d/README:
> 
>  Note that having a "sufficient" module as the last entry for a
>  particular service and module type may result in surprising behaviour.
>  To get the intended semantics, add a "required" entry listing the
>  pam_deny module at the end of the chain.

Do you think it might be a good idea to turn all the pam configuration
files to list actual providers at sufficient followed by a pam_deny:

auth	sufficient	pam_krb5.so
auth	sufficient	pam_ldap.so
auth	sufficient	pam_unix.so
auth	required	pam_deny.so

This makes it very explicit as to what's going on and makes it so the
last entry isn't different merely because it's last.

> Solaris introduced the "binding" flag to try to alleviate this
> problem.  OpenPAM supports "binding", but does not document it
> anywhere.

I'm unfamiliar with this option. What's it do?

-gordon

Received on Thu May 22 2003 - 13:48:52 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:09 UTC