[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: Re: [pamldap] fail on pam_groupdn condition
From: Norbert Klasen <klasen () zdv ! uni-tuebingen ! de>
Date: 2000-10-19 10:47:48
[Download RAW message or body]
> On Mon, Oct 16, 2000 at 12:55:12PM +0200, Norbert Klasen wrote:
> > try:
> >
> > account sufficient /lib/security/pam_ldap.so
> > account required /lib/security/pam_pwdb.so
> >
> > and make sure that your "ldap users" are not in /etc/passwd. Because
> > otherwise pam_pwdb.so would return OK and thus the whole account section
> > would be OK.
>
> thanks for your hint that this is done in account, but I already
> had
> account sufficient pam_ldap.so
> account required pam_unix.so
>
> And the users are not in passwd...
You use pam_unix.so which employs NSS to look up users. And as with most
pam_ldap users, you probably have setup /etc/nsswitch.conf to use
nss_ldap for passwd. So pam_unix.so WILL find a valid user. (I took me a
while to notice this.) You should therfore use pam_pwdb which will use
/etc/passwd directly.
--
Norbert Klasen
DFN Directory Services tel: +49 7071 29 70335
ZDV, Universität Tübingen fax: +49 7071 29 5912
D-72074 Tübingen norbert.klasen@zdv.uni-tuebingen.de
Germany http://www.directory.dfn.de
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic