Deprecating pam_stack.so
Bernardo Innocenti
bernie at develer.com
Thu Oct 13 01:06:05 UTC 2005
Tomas Mraz wrote:
> On Wed, 2005-10-12 at 11:05 +0200, Tomas Mraz wrote:
>> On Wed, 2005-10-12 at 02:06 +0200, Bernardo Innocenti wrote:
>
>>> Also, you can login as root with root's password from ldap
>>> even tough there's a valid root entry in /etc/passwd.
>> That's expected as both pam_ldap and pam_unix are sufficient entries.
>> If you want to prevent that you can insert pam_succeed_if
> I've forgot to finish this. You can insert pam_succeed_if in between
> pam_unix and pam_ldap.
>
> auth sufficient pam_unix.so .....
> auth required pam_succeed_if.so uid != 0 quiet
> auth sufficient pam_ldap.so .....
>
> This way only the local unix password will work for root.
Works fine, thanks!
(please ignore my previous post asking for clarifications).
--
// Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/ http://www.develer.com/
More information about the fedora-devel-list
mailing list