Thank you for reporting this issue and helping to improve Ubuntu. This is not a bug in pam_unix, which is deliberately configured such that a successful authorization return from either pam_unix *or* another stacked module is sufficient to permit a login. If pam_ldap access checks should always be enforced *in addition* to pam_unix, then pam_ldap's pam-auth-update profile should declare itself Account-Type: additional.
This appears to be the same as Debian bug #583483. ** Package changed: pam (Ubuntu) => libpam-ldap (Ubuntu) ** Bug watch added: Debian Bug tracker #583483 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583483 ** Also affects: libpam-ldap (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583483 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/604593 Title: pam_unix "account" returns success on a user with an invalid shadow password. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
