On 10/11/05, Lamont R. Peterson <lamont@xxxxxxxxxxxx> wrote: > On Tuesday 11 October 2005 06:06pm, Bernardo Innocenti wrote: > > Tomas Mraz wrote: > > > Linux-PAM 0.78 and later contains include directive which obsoletes > > > using the pam_stack module. This module is rather a hack as it requires > > > access to pam library internals for its operation and will never be > > > accepted to upstream. > > > > Thank you. Simplifying PAM configuration was badly needed. > > > > I have a few wishlist entries to submit, if you have time to > > consider them: > > > > - For some reason, pam_ldap interacts strangely with pam_unix. > > Even tough pam_unix comes before it and is "sufficient", > > Not sure how to explain that. > > > nobody can login when the network is down or slapd is down. > > That is normal...unless you have configured your systems to cache > authentication credentials locally so that they can authenticate > disconnected. > I think the problem comes with outside expectations. The idea would be that if the pam_unix comes back with a correct passwd as "sufficient" etc it then you shouldn't need pam_krb/pam_ldap. The problem is that the pam model seems to try to check the ones below even when not needed (possibly because something lower in the stack could invalidate it?) So when the network is down, it acts like a show-stopper (either through a network timeout longer than the login timeout) or coming back as a failure and pam counting it. Putting in timeout modes and such didnt seem to help me when I tried this back in RHL 7.3 days.. It has been a problem with our laptop users because it effectively requires them to re-run authconfig whenever they go off the wire. -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
