On Tuesday 11 October 2005 06:06pm, Bernardo Innocenti wrote: > Tomas Mraz wrote: > > Linux-PAM 0.78 and later contains include directive which obsoletes > > using the pam_stack module. This module is rather a hack as it requires > > access to pam library internals for its operation and will never be > > accepted to upstream. > > Thank you. Simplifying PAM configuration was badly needed. > > I have a few wishlist entries to submit, if you have time to > consider them: > > - For some reason, pam_ldap interacts strangely with pam_unix. > Even tough pam_unix comes before it and is "sufficient", Not sure how to explain that. > nobody can login when the network is down or slapd is down. That is normal...unless you have configured your systems to cache authentication credentials locally so that they can authenticate disconnected. > Also, you can login as root with root's password from ldap > even tough there's a valid root entry in /etc/passwd. Yup. That's normal, because, when the pam_unix.so check for root fails, the "sufficient" line will not affect the overall outcome of the authentication attempt, then PAM moves on to the next line and succeeds with the sufficient pam_ldap.so line. This is part of the reason why having root credentials in your central authentication store is a BIG NO-NO. You should *only* have root credentials locally on each machine. [SNIP] -- Lamont R. Peterson <lamont@xxxxxxxxxxxx> Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
Attachment:
pgp7JcZFLzghZ.pgp
Description: PGP signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
