merge 610888 543483 thanks Hi there,
On Sun, Jan 23, 2011 at 08:17:03PM +0100, Luca Capello wrote: > On sid, however, while I was quite happy than I had nothing to touch to > have LDAP authentication working automatically by default, the > libpam-ldap's pam_check_host_attr seems to not work at all: > --8<---------------cut here---------------start------------->8--- # > /etc/pam.d/common-account - authorization settings common to all > services > > # here are the per-package modules (the "Primary" block) > account [success=2 new_authtok_reqd=done default=ignore] > pam_unix.so > account [success=1 default=ignore] pam_ldap.so > # here's the fallback if no module succeeds > account requisite pam_deny.so > # prime the stack with a positive return value if there isn't one already; > # this avoids us returning an error just because nothing sets a success code > # since the modules above will each just jump around > account required pam_permit.so > # and here are more per-package modules (the "Additional" block) > # end of pam-auth-update config > --8<---------------cut here---------------end--------------->8--- > I read the PAM documentation, but I still do not understand what is > wrong with the default configuration. Could this be related to > <http://bugs.debian.org/583492>? I guess so, given that libpam-ldapd's > pam.d/common-account configuration works as expected, with the big > difference being that the pam_ldap's profile is Additional and not > Primary: I think this is the same as bug #583483; merging. While I'm still weighing whether to change pam_unix for bug #583492, it is definitely the case that pam_ldap's authorization checks should be 'Additional' and not 'Primary' because, as seen here, they are intended to always be applied *in addition* to any authorization checks from other modules. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature