> > This is more of a pam config problem than openldap related... but your > account section probably needs either ldap or unix to be required/sufficient > rather than optional. As it is now it will check that there is no nologin > file, and then check through your pam login.access file, it will check that > the user exists in passwd or ldap but wont fail if it isnt, just that it > meets criteria set in the access file, which might be setup to allow anything > in. Also, your auth section is setup such that if opie succeeds, you are > auth'd, it wont bother to check ldap or unix because if it fails, it will > return failure immedaitely (that's what requisite does). Id be careful with > the use of "optional" in pamconfig, espcially around the auth and account > sections. I would reserve its use for session (if anywhere), as its more of a > "try it, if it works Ok, if not, so what" rule, good for homedir creation or > displaying motd (so if it fails, you still get in, since its not critical you > see motd or have a homedir, but nice if it does work). > > -T
Thank you for this, I will definitely take your advice, and go over pam more throughly, as it was one of my weaker areas of understanding. Your help is appreciated William
