Question about authentication
Andrew Afliatunov
andy at taom.ru
Fri Feb 25 15:07:39 UTC 2005
Hi!
I use pam_ldap authentication for POP and IMAP users of my linux server. I don't have accounts in /etc/passwd. Users authenticate in ldap successfully. Then why in security.log I see
--
Feb 25 14:03:57 web pop(pam_unix)[3814]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=195.144.197.131
--
?
In /etc/nsswitch.conf I have
--
passwd: files ldap
shadow: files ldap
group: files
--,
and in /etc/pam.d/pop and /etc/pam.d/imap
--
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
--
So, why try pam_unix if pam_ldap succeeds?
Isn't it enough to have 'sufficient pam_ldap.so' (documentation of pam-modules says that in this case subsequent |required| modules are NOT invoked.)
--
Andrew.
More information about the Pam-list
mailing list