ldap.conf: 'pam_groupdn' being completely ignored?
Nalin Dahyabhai
nalin at redhat.com
Wed Jan 7 19:30:57 UTC 2004
On Wed, Jan 07, 2004 at 10:40:46AM -0500, Brian K. Jones wrote:
> And here's my /etc/pam.d/system-auth (used by sshd, which is my primary
> testing application)
[snip]
> account sufficient /lib/security/$ISA/pam_unix.so
> account [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
[snip]
The groupdn check is performed as part of the account management checks
implemented by pam_ldap. You've got pam_unix listed as "sufficient"
before pam_ldap, so libpam calls into pam_unix first when the
application (sshd) calls it to perform account management.
The pam_unix module's account management function verifies that the
user's password hasn't expired, and then returns a success code to
libpam. libpam stops there because a success in a "sufficient" module
is enough. The pam_ldap module isn't consulted.
HTH,
Nalin
More information about the fedora-list
mailing list