> > pam.d/sshd > > auth sufficient pam_opie.so no_warn > no_fake_prompts > auth requisite pam_opieaccess.so no_warn > allow_local > auth sufficient /usr/local/lib/pam_ldap.so no_warn > use_first_pass > auth sufficient pam_unix.so no_warn > try_first_pass > > account required pam_nologin.so > account required pam_login_access.so > account optional pam_unix.so > account optional /usr/local/lib/pam_ldap.so > > session required pam_permit.so > session optional /usr/local/lib/pam_ldap.so > > password sufficient /usr/local/lib/pam_ldap.so no_warn > use_athtok use_first_pass > password sufficient pam_unix.so no_warn > try_first_pass
This is more of a pam config problem than openldap related... but your account section probably needs either ldap or unix to be required/sufficient rather than optional. As it is now it will check that there is no nologin file, and then check through your pam login.access file, it will check that the user exists in passwd or ldap but wont fail if it isnt, just that it meets criteria set in the access file, which might be setup to allow anything in. Also, your auth section is setup such that if opie succeeds, you are auth'd, it wont bother to check ldap or unix because if it fails, it will return failure immedaitely (that's what requisite does). Id be careful with the use of "optional" in pamconfig, espcially around the auth and account sections. I would reserve its use for session (if anywhere), as its more of a "try it, if it works Ok, if not, so what" rule, good for homedir creation or displaying motd (so if it fails, you still get in, since its not critical you see motd or have a homedir, but nice if it does work). -T
