/etc/pam.d/su with ldap
Doug Weimer
dougw at sdsc.edu
Mon May 29 15:55:46 UTC 2006
On Mon, 29 May 2006, Anthony wrote:
> Hi, i have modified my /etc/su file so that it integrates Ldap,
>
> i got a small problem, whenever the root user do a
> $su - username1
> password:
>
> it asks me a passwor, i hit 'enter' then i get the prompt;
>
> what is wrong with my su confg file ?
>
<snip>
> # cat /etc/pam.d/su
> #%PAM-1.0
> #pam_ldap Added by me
> auth sufficient pam_ldap.so
> account sufficient pam_ldap.so
> password sufficient pam_ldap.so
>
> auth sufficient /lib/security/$ISA/pam_rootok.so
I believe that pam starts at the top of a configuration file and then runs
each applicable module in the order it is listed. With this configuration
the first 'auth' entry is pam_ldap.so and this module will prompt for a
password. By hitting enter at the prompt, this auth check will fail. Upon
failure, pam will then go to the pam_rootok.so module which will succeed
and allow root to su.
Have you tried putting the pam_rootok.so line first?
Thanks,
Doug
More information about the redhat-sysadmin-list
mailing list