On Tue, May 09, 2006 at 12:16:33AM +1000, Simon Wong wrote: > On Mon, 2006-05-08 at 16:02 +1000, Alexander Samad wrote: > > my common-auth looks like > > auth [success=1 default=ignore] pam_unix.so nullok_secure > > auth required pam_ldap.so ignore_unknown_user use_first_pass > > auth required pam_permit.so > > I doubt you want to use the permit module as it always succeeds. > > > when I modfy my common-auth to look like this > > > > #auth [success=1 default=ignore] pam_unix.so nullok_secure > > auth required pam_ldap.so ignore_unknown_user use_first_pass > > auth required pam_permit.so > > This link describes the various modules (I know, when you're having > trouble it barely seems to cover much at all!): > > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html > > I don't know whether the parameters "[success=1 default=ignore]" are > valid. Look at /var/log/auth.log for pam logging. > > > Q1) if pam_ldap.so fails because of the host command why does it still > > allow me in even though there is a pam_permit afterwards, shouldn't the > > required part fail the whole lookup > > Check out the documentation at > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html#ss4.1 > > What you are thinking of is "requisite" so that a failure returns to the > app immediately. Required is used where you require multiple modules to > be successful to allow the authentication to succeed. > > > Q2) why when I uncomment the first line does it not use the pam_filter > > defined in pam_ldap.conf, my presumption is that pam_unix uses glibc and > > thus nsswitch - is this the catch it it access the ldap via glibc > > because of my nsswith setup above ? > > No idea!
Well lots of searching around padl mailing lists brought me up with this # From padl.com mailing list auth sufficient pam_unix.so nullok_secure auth required pam_ldap.so ignore_unknown_user use_first_pass which seems to work. the previous worked but with side effects. the [success=1 default=ignore] is the way of routing the results in long hand, were as required and sufficient do it in short hand. all is happy now, and I have my ldap pam nss filtering working as well > > -- > Simon Wong <[EMAIL PROTECTED]> > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html >
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
