[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] fail on pam_groupdn condition
From:       Norbert Klasen <klasen () zdv ! uni-tuebingen ! de>
Date:       2000-10-19 10:47:48
[Download RAW message or body]

> On Mon, Oct 16, 2000 at 12:55:12PM +0200, Norbert Klasen wrote:
> > try:
> >
> > account  sufficient     /lib/security/pam_ldap.so
> > account  required       /lib/security/pam_pwdb.so
> >
> > and make sure that your "ldap users" are not in /etc/passwd. Because
> > otherwise pam_pwdb.so would return OK and thus the whole account section
> > would be OK.
> 
> thanks for your hint that this is done in account, but I already
> had
> account    sufficient   pam_ldap.so
> account    required   pam_unix.so
> 
> And the users are not in passwd...

You use pam_unix.so which employs NSS to look up users. And as with most
pam_ldap users, you probably have setup /etc/nsswitch.conf to use
nss_ldap for passwd. So pam_unix.so WILL find a valid user. (I took me a
while to notice this.) You should therfore use pam_pwdb which will use
/etc/passwd directly.

-- 
Norbert Klasen
DFN Directory Services                           tel: +49 7071 29 70335
ZDV, Universität Tübingen                        fax: +49 7071 29 5912
D-72074 Tübingen                    norbert.klasen@zdv.uni-tuebingen.de
Germany                                     http://www.directory.dfn.de

[prev in list] [next in list] [prev in thread] [next in thread]