Hi Just going through the process of setting up ldap authentication. Things seem to be working fine except when I go to do some fine controll over who can log into each machine my nsswitch looks like this passwd: files ldap group: files ldap shadow: files my common-auth looks like auth [success=1 default=ignore] pam_unix.so nullok_secure auth required pam_ldap.so ignore_unknown_user use_first_pass auth required pam_permit.so i got this from the readme in the libpam-ldap package. I am using debian AMD64 testing/unstable I have added a variable hosts=* to my test uid entry, I have placed pam_filter in /etc/pam_ldap.conf pam_filter host=this.is.a.test when I test it with the above configuration I see no requests with search variables host= when I modfy my common-auth to look like this #auth [success=1 default=ignore] pam_unix.so nullok_secure auth required pam_ldap.so ignore_unknown_user use_first_pass auth required pam_permit.so and re run my test (which is to login via ssh), I do see a search with the host in it and looking for this.is.a.test, but I do not get denied. Q1) if pam_ldap.so fails because of the host command why does it still allow me in even though there is a pam_permit afterwards, shouldn't the required part fail the whole lookup Q2) why when I uncomment the first line does it not use the pam_filter defined in pam_ldap.conf, my presumption is that pam_unix uses glibc and thus nsswitch - is this the catch it it access the ldap via glibc because of my nsswith setup above ? Q3) the above also seems to be causing problems with my xscreensaver unlocking in the former state, it unlocks with any password. You can see the failure in syslog, but it still unlocks. Thanks Alex
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
