Re: ldap.conf: 'pam_groupdn' being completely ignored?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 07, 2004 at 10:40:46AM -0500, Brian K. Jones wrote:
> And here's my /etc/pam.d/system-auth (used by sshd, which is my primary
> testing application)
[snip]
> account     sufficient    /lib/security/$ISA/pam_unix.so
> account     [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
[snip]

The groupdn check is performed as part of the account management checks
implemented by pam_ldap.  You've got pam_unix listed as "sufficient"
before pam_ldap, so libpam calls into pam_unix first when the
application (sshd) calls it to perform account management.

The pam_unix module's account management function verifies that the
user's password hasn't expired, and then returns a success code to
libpam.  libpam stops there because a success in a "sufficient" module
is enough.  The pam_ldap module isn't consulted.

HTH,

Nalin




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux