Date: Fri, 23 May 2003 00:26:20 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: Frank Bonnet <bonnetf@bart.esiee.fr> Cc: freebsd-current@freebsd.org Subject: Re: 5.1 beta2 still in trouble with pam_ldap Message-ID: <xzp65o2zkhf.fsf@flood.ping.uio.no> In-Reply-To: <20030522184631.A23366@bart.esiee.fr> (Frank Bonnet's message of "Thu, 22 May 2003 18:46:31 %2B0200") References: <20030522184631.A23366@bart.esiee.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Frank Bonnet <bonnetf@bart.esiee.fr> writes: > if in any file of the pam.d directory I replace > the original line : > > auth required pam_unix.so no_warn try_first_pass nullok > > by the following > > auth sufficient /usr/local/lib/pam_ldap.so > > for example in the /etc/pam.d/su file I can perform the "su -" > command WITHOUT TYPING ANY PASSWORD from a normal user login. If pam_ldap is the last line, it should be "required", not "sufficient"; alternatively it should be followed by pam_deny. This is (imperfectly) documented in /etc/pam.d/README: Note that having a "sufficient" module as the last entry for a particular service and module type may result in surprising behaviour. To get the intended semantics, add a "required" entry listing the pam_deny module at the end of the chain. Solaris introduced the "binding" flag to try to alleviate this problem. OpenPAM supports "binding", but does not document it anywhere. DES -- Dag-Erling Smorgrav - des@ofug.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp65o2zkhf.fsf>