Public bug reported:
Binary package hint: ldap-auth-client
On all the systems where I setup libpam-ldap, prior to auth-client-
config, I used the construct recommended by /usr/share/doc/libpam-
ldap/README.Debian:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_ldap.so minimum_uid=1000 use_first_pass
auth requisite pam_permit.so
I'm excited to try auth-client-config, to avoid hand editing lots of files,
however I noticed that /etc/auth-client-config/profile.d/ldap-auth-config does
exactly what README.Debian cautions against:
[...]
- Be very careful when you use "sufficient pam_ldap.so" in Debian's
/etc/pam.d/common-* files: Some services can place other "required"
PAM-modules after the includes, which will be ignored if pam_ldap.so
succeeds. As a workaround, use something like the following construct:
[...]
A side benefit of the construct recommended by README.Debian is that "local
authentication is checked first, so root can still login if LDAP is down."
I created my own /etc/auth-client-config/profile.d/mine profile which
implements the README.Debian construct, but I wonder why ldap-auth-
config uses "sufficient pam_ldap.so", and checks pam_ldap.so before
pam_unix.so
Is the advice of README.Debian outdated or overly paranoid?
Thanks and best wishes, Jack
** Affects: ldap-auth-client (Ubuntu)
Importance: Undecided
Status: New
--
sufficient pam_ldap.so
https://bugs.launchpad.net/bugs/221261
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
