The problem isn't quite fixed yet, but I'm getting much, much more predictable output.
If you happen to know off the top of your head what 'err=5' is in openldap for a CMP operation, lemme know. Otherwise, I'll find it by running slapd with '-d 128' or something.
Thanks again. I'll report back the final Summary. brian.
Nalin Dahyabhai wrote:
On Wed, Jan 07, 2004 at 10:40:46AM -0500, Brian K. Jones wrote:
And here's my /etc/pam.d/system-auth (used by sshd, which is my primary testing application)
[snip]
account sufficient /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
[snip]
The groupdn check is performed as part of the account management checks implemented by pam_ldap. You've got pam_unix listed as "sufficient" before pam_ldap, so libpam calls into pam_unix first when the application (sshd) calls it to perform account management.
The pam_unix module's account management function verifies that the user's password hasn't expired, and then returns a success code to libpam. libpam stops there because a success in a "sufficient" module is enough. The pam_ldap module isn't consulted.
HTH,
Nalin
