>>>>> "Luke" == Luke Howard <lukeh@PADL.COM> writes:
>> account required pam_unix.so
>> account [default=die success=ok authinfo_unavail=ignore user_unknown=ignore] pam_ldap.so
>> This means that pam_ldap can happily return PAM_USER_UNKNOWN,
>> and PAM can then ignore this return value. This works, but
>> doesn't satisfy the policy I've outlined above.
Luke> You can also use the ignore_unknown_user option to pam_ldap,
Luke> for versions of PAM that do not support this extended
Luke> configuration syntax.
I know about this option, but it still doesn't help me satisfy the
policy I'm after: do not run any code (especially network-related)
code that doesn't need to be run. I do not want to run any pam_ldap
code (or nss_ldap code, for that matter) for locally defined users.
Running such code is unnecessary. I should be able to implement this
policy...
By the way, I definitely appreciate the efforts of the people who work
on PAM, pam_ldap or OpenLDAP. I'm not trying to denigrate anyone or
the software they produce. I'm just trying to solve what I see as a
bigger problem...
Thanks...
peace & happiness,
martin
