[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] pam_ldap and pam_unix... which is the better order?
From:       Brian Nelson <bnelson () cis ! ysu ! edu>
Date:       2001-07-31 23:59:17
[Download RAW message or body]

Ok. I know that in the examples, pam_ldap is before pam_unix in the 'auth' 
section of pam.conf (on solaris). I know this works well, and have actually 
recommended it to people in the past.

My question is this: Why is this the recommended (ie common) way to do it? Is 
there any specific reasoning?

I have tried it both ways, with the first directive being 'sufficient' and the 
second being 'required' with 'use_fist_pass'. Both seem to work just fine.

My question arose when I noticed that putting pam_ldap first (for the dtlogin 
section at liest) changes the dtlogin screen. Normally, with pam_unix first, 
dtlogin display 'Please enter you user name'. With pam_ldap first, it simply 
states 'login:'. This only happens in dtlogin. In telnet and such, both modules 
display 'login:'

I know this is mearly an asthetic thing, and it really dosnt matter. In fact its 
probablly some other hook that could be added to pam_ldap for dtlogin. I just 
wondered if there is some reason of which (unix or ldap) should be used first 
with the 'sufficient' flag. Does it even matter?

Thanks!

-Brian

[prev in list] [next in list] [prev in thread] [next in thread]