Thank you for reporting this issue and helping to improve Ubuntu. This is not a bug in pam_unix, which is deliberately configured such that a successful authorization return from either pam_unix *or* another stacked module is sufficient to permit a login. If pam_ldap access checks should always be enforced *in addition* to pam_unix, then pam_ldap's pam-auth-update profile should declare itself Account-Type: additional.
This appears to be the same as Debian bug #583483. ** Package changed: pam (Ubuntu) => libpam-ldap (Ubuntu) ** Bug watch added: Debian Bug tracker #583483 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583483 ** Also affects: libpam-ldap (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583483 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libpam-ldap in Ubuntu. https://bugs.launchpad.net/bugs/604593 Title: pam_unix "account" returns success on a user with an invalid shadow password. -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
