Ruslan Ermilov <ru_at_freebsd.org> writes: > In a chain with mutiple "binding" modules, only the _last_ > failure gets ignored? Meaning, if some other module succeeds, > override the failure status, right? Failure of a "binding" module causes the entire chain to fail once it has completed. The error returned is that returned by the first non-"optional", non-"sufficient" module that failed. Failure of a "sufficient" module, on the other hand, is always ignored (so if no other non-"optional", non-"sufficient" module failed, the chain will succeed). This is what constantly surprises users, and what "binding" was introduced to alleviate. See the PAM article for details - particularly the following two sections: http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html#PAM-CHAINS-POLICIES http://www.freebsd.org/doc/en/articles/pam/pam-config.html#PAM-POLICIES DES -- Dag-Erling Smorgrav - des_at_ofug.orgReceived on Fri May 23 2003 - 05:33:13 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:09 UTC