[FC2] pam_ldap and root user

[Lionel LENOBLE]

Here's mine :

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Hope that'll help !
works fine for me :)

Lionel LENOBLE.

> Hello,
> 
> When I try to log in as root, the PAM stack uses LDAP to check the
> password.
> How can I prevent this ? I'd like to have a set of local users, so that 
> PAM looks up in LDAP only if the user doesn't exist on the system.
> I've put everywhere pam_unix.so as 'sufficient' and before pam_ldap.so, 
> but to no avail :(
> 
> Here is my /etc/pam.d/system-auth :
> 
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_mount.so
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok 
> use_first_pass
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
> 
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
> account     sufficient      /lib/security/$ISA/pam_unix.so
> account     [default=bad success=ok user_unknown=ignore] 
> /lib/security/$ISA/pam_ldap.so
> 
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
> use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
> 
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_mount.so
> session     sufficient      /lib/security/$ISA/pam_unix.so
> session     sufficient      /lib/security/$ISA/pam_ldap.so
> 
> 
> Thanks a lot,
> 
> -- 
> Damiano ALBANI
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
> 




-------------------------------------------------------------------
Ce message a été envoyé à partir de http://webmail.cip.dauphine.fr/
  Centre d'Ingéniérie Pédagogique de l'Université Paris-Dauphine
                    http://www.cip.dauphine.fr/