[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] pam_groupdn and the pam stack
From:       Brian Nelson <bnelson () cis ! ysu ! edu>
Date:       2001-08-08 21:32:21
[Download RAW message or body]


>
>However, when a non-group member logs in I get the message:
>"You must be a uniquemember of cn=admin,ou=Group,o=profitlogic to login."
>but the user can still login. I *know* pam_unix isn't doing the
>authentication, but I can't seem to get it work. (changing the ordering, or
>making both modules required results in undesirable behavior...)
>

If you're getting this message, than the groupdn checks _are_ working right. The 
account stuff will only be enforced though, if all account modules are required. 
Setting pam_ldap to sufficient defeats the security checks (account pam_unix 
will always return success for ladp accounts in my expierence).

What 'undesirable behaviour' are you getting when doing this?

Also, make sure your pal_ldap is fairly current. This was only fixed in about 
v117 or so.

Hope that helps.

-Brian

[prev in list] [next in list] [prev in thread] [next in thread]