ldap.conf: 'pam_groupdn' being completely ignored?
Brian Jones
jonesy at CS.Princeton.EDU
Wed Jan 7 21:11:49 UTC 2004
This is tremendously helpful. Thank you.
The problem isn't quite fixed yet, but I'm getting much, much more
predictable output.
If you happen to know off the top of your head what 'err=5' is in
openldap for a CMP operation, lemme know. Otherwise, I'll find it by
running slapd with '-d 128' or something.
Thanks again. I'll report back the final Summary.
brian.
Nalin Dahyabhai wrote:
> On Wed, Jan 07, 2004 at 10:40:46AM -0500, Brian K. Jones wrote:
>
>>And here's my /etc/pam.d/system-auth (used by sshd, which is my primary
>>testing application)
>
> [snip]
>
>>account sufficient /lib/security/$ISA/pam_unix.so
>>account [default=bad success=ok user_unknown=ignore
>>service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
>
> [snip]
>
> The groupdn check is performed as part of the account management checks
> implemented by pam_ldap. You've got pam_unix listed as "sufficient"
> before pam_ldap, so libpam calls into pam_unix first when the
> application (sshd) calls it to perform account management.
>
> The pam_unix module's account management function verifies that the
> user's password hasn't expired, and then returns a success code to
> libpam. libpam stops there because a success in a "sufficient" module
> is enough. The pam_ldap module isn't consulted.
>
> HTH,
>
> Nalin
>
>
More information about the fedora-list
mailing list