Subject: libpam-ldap: incorrect pam-auth-update configuration Package: libpam-ldap Version: 184-8.4 Severity: normal Tags: patch
Attached is a patch that updates the pam-auth-update configuration to always perform authorisation checks for LDAP users. I found this while working on nss-pam-ldapd which uses a pam-auth-update configuration based on libpam-ldap. Without this, LDAP authorisation checks are only done if pam_unix denies authorisation. The spec is not very well documented ([1] is the only useful page I found) but I think the patch is correct (at least it behaves more correctly for nss-pam-ldapd). I haven't tested this with libpam-ldap yet. [1] https://wiki.ubuntu.com/PAMConfigFrameworkSpec -- -- arthur - [email protected] - http://people.debian.org/~adejong --
--- debian/libpam-ldap.pam-auth-update.orig 2010-05-27 20:50:56.000000000 +0200 +++ debian/libpam-ldap.pam-auth-update 2010-05-27 20:47:36.000000000 +0200 @@ -6,9 +6,9 @@ [success=end default=ignore] pam_ldap.so Auth: [success=end default=ignore] pam_ldap.so use_first_pass -Account-Type: Primary +Account-Type: Additional Account: - [success=end default=ignore] pam_ldap.so + [success=ok user_unknown=ignore default=bad] pam_ldap.so Password-Type: Primary Password-Initial: [success=end user_unknown=ignore default=die] pam_ldap.so
signature.asc
Description: This is a digitally signed message part
