On Mon, 2006-05-08 at 16:02 +1000, Alexander Samad wrote: > my common-auth looks like > auth [success=1 default=ignore] pam_unix.so nullok_secure > auth required pam_ldap.so ignore_unknown_user use_first_pass > auth required pam_permit.so
I doubt you want to use the permit module as it always succeeds. > when I modfy my common-auth to look like this > > #auth [success=1 default=ignore] pam_unix.so nullok_secure > auth required pam_ldap.so ignore_unknown_user use_first_pass > auth required pam_permit.so This link describes the various modules (I know, when you're having trouble it barely seems to cover much at all!): http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html I don't know whether the parameters "[success=1 default=ignore]" are valid. Look at /var/log/auth.log for pam logging. > Q1) if pam_ldap.so fails because of the host command why does it still > allow me in even though there is a pam_permit afterwards, shouldn't the > required part fail the whole lookup Check out the documentation at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html#ss4.1 What you are thinking of is "requisite" so that a failure returns to the app immediately. Required is used where you require multiple modules to be successful to allow the authentication to succeed. > Q2) why when I uncomment the first line does it not use the pam_filter > defined in pam_ldap.conf, my presumption is that pam_unix uses glibc and > thus nsswitch - is this the catch it it access the ldap via glibc > because of my nsswith setup above ? No idea! -- Simon Wong <[EMAIL PROTECTED]> -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
