Re: 5.1 beta2 still in trouble with pam_ldap

From: Dag-Erling Smorgrav <des_at_ofug.org>
Date: Fri, 23 May 2003 16:33:09 +0200
Ruslan Ermilov <ru_at_freebsd.org> writes:
> In a chain with mutiple "binding" modules, only the _last_
> failure gets ignored?  Meaning, if some other module succeeds,
> override the failure status, right?

Failure of a "binding" module causes the entire chain to fail once it
has completed.  The error returned is that returned by the first
non-"optional", non-"sufficient" module that failed.

Failure of a "sufficient" module, on the other hand, is always ignored
(so if no other non-"optional", non-"sufficient" module failed, the
chain will succeed).  This is what constantly surprises users, and
what "binding" was introduced to alleviate.

See the PAM article for details - particularly the following two
sections:

http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html#PAM-CHAINS-POLICIES
http://www.freebsd.org/doc/en/articles/pam/pam-config.html#PAM-POLICIES

DES
-- 
Dag-Erling Smorgrav - des_at_ofug.org
Received on Fri May 23 2003 - 05:33:13 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:09 UTC