Bug#610888: libpam-ldap: allow any LDAP users even when pam_check_host_attr

Wed, 08 Jun 2011 00:15:43 -0700 

merge 610888 543483
thanks

Hi there,

On Sun, Jan 23, 2011 at 08:17:03PM +0100, Luca Capello wrote:
> On sid, however, while I was quite happy than I had nothing to touch to
> have LDAP authentication working automatically by default, the
> libpam-ldap's pam_check_host_attr seems to not work at all:
> --8<---------------cut here---------------start------------->8--- #
> /etc/pam.d/common-account - authorization settings common to all
> services
> 
> # here are the per-package modules (the "Primary" block)
> account       [success=2 new_authtok_reqd=done default=ignore]        
> pam_unix.so 
> account       [success=1 default=ignore]      pam_ldap.so 
> # here's the fallback if no module succeeds
> account       requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> account       required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
> --8<---------------cut here---------------end--------------->8---

> I read the PAM documentation, but I still do not understand what is
> wrong with the default configuration.  Could this be related to
> <http://bugs.debian.org/583492>?  I guess so, given that libpam-ldapd's
> pam.d/common-account configuration works as expected, with the big
> difference being that the pam_ldap's profile is Additional and not
> Primary:

I think this is the same as bug #583483; merging.

While I'm still weighing whether to change pam_unix for bug #583492, it is
definitely the case that pam_ldap's authorization checks should be
'Additional' and not 'Primary' because, as seen here, they are intended to
always be applied *in addition* to any authorization checks from other
modules.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

Attachment: signature.asc
Description: Digital signature

Reply via email to