Please keep replies on the list.
On Thu, 17 Jun 2010, Indexer wrote:
On 17/06/2010, at 10:34 PM, Aaron Richton wrote:
On Thu, 17 Jun 2010, Indexer wrote:
membership logins a notice appears that says "You must be a memberUid
of cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan to login.", but the
user is still able to continue and login, and it is not enforcing the
group
[...]
account optional /usr/local/lib/pam_ldap.so
Of course they're able to continue; that check is optional in a stack
that contains other results. See pam.conf(5) man page.
Yes, i have been told that this is the case, and im not to concerned
about it right now. What concerns me more, is that Groups aren't being
enforced the way i would like them to be. Has anyone got a working
configuration or hints? google was not especially helpful, as its a hard
problem to "quantify".
I'm totally confused. If you're not "concerned about it right now" why is
it your original question, as well as causing "me more" concern in the
next sentence?
My hint remains that the check you want to enforce without option has been
configured as optional. Read the whole pam.conf(5) man page, then reread
the section regarding alternatives to "optional," and determine what you
need to configure to enforce the behavior you want.