Paul, Thanks for your reply. Finally it works for me:)
2017-01-08 12:00 GMT+08:00 Paul B. Henson <[email protected]>: > On Sat, Jan 07, 2017 at 11:53:27AM +0800, Frank Yu wrote: > > > # grep pam_listfile.so system-auth -A2 > > auth required pam_listfile.so \ > > onerr=fail item=group sense=allow > file=/etc/login.group.allowed > > Without your complete pam configuration there's really no way to tell > what's going on. For example, what if you have a module configured as > sufficient listed above this line? pam_listfile would never even be > consulted. > > All I can really say is that I use pam_listfile as so: > > auth requisite pam_listfile.so item=group sense=allow > file=/etc/security/authorized_groups.conf onerr=fail > > and it works fine for me, with groups pulled out of LDAP, the way I have it > integrated into the rest of my pam configuration. That, and you'd > probably be better off taking this inquiry to the pam mailing list as > your issue is most likely with pam configuration, not ldap, assuming a > "getent group <groupname>" returns the group from ldap you're working > with. > > -- Regards Frank Yu
