>>>>> "Steve" == Steve Langasek <vorlon@netexpress.net> writes:
>> However, I started this thread using almost exactly the same
>> example, except for account modules. That doesn't work... :-(
Steve> IIRC, pam_ldap should not be invoked in the above for any
Steve> accounts that successfully authenticate using pam_unix. At
Steve> the very least, Linux-PAM makes it possible to ensure
Steve> pam_ldap is not invoked, via its extended configuration
Steve> syntax.
Steve> auth [success=done default=ignore] pam_unix.so
Steve> auth required pam_ldap.so use_first_pass
Steve> This guarantees that pam_ldap will not be invoked if
Steve> pam_unix succeeds.
I know I'm getting boring, but:
However, I started this thread using almost exactly the same
example, except for *account* modules. That doesn't work... :-(
That is s/auth/account/ and it doesn't work.
Steve> The one slowdown will be with initgroups() (yes, I meant
Steve> initgroups() earlier, not getgroups()). There's no way
Steve> around that; you can lower your timeouts in nss_ldap, or
Steve> you can modify your login app to not call initgroups().
There is a slowdown if you use pam_unix_account, because it does its
account checking via NSS. What's worse, if you are a remotely defined
user (for example, in an LDAP directory), when it finds you (via NSS)
it will probably succeed and following modules will not be invoked (if
you use sufficient or [success=done]).
Before I understood the initgroups() problem, this was my major
complaint...
peace & happiness,
martin
