Hi list, I'm customizing a setup (ldap authentication, not on Redhat). I was wondering what the effect of using controls like "required" or "optional" on authorisation was in "session". I suppose, if you use unix authentication with a fallback on ldap, you make the setup for "session" analogous. But does it matter if you make all the modules "required"? Probably there will never be a user defined both locally and in ldap, so what happens if you set the first one "required" as in the example on the Debian wiki (http://wiki.debian.org/LDAP/PAM)? It would cause the stack to fail if the user doesn't exist locally, but in the case of "session" does that even matter, since "session" is mostly meant for householding? It seems (just tried it out) that the "account" settings for the pam_unix module is still used even if the module did not authenticate the user in "auth" (ie it's a user in ldap); so is the only correct way to configure the first line(s) in "account" or "session" in a setup where you use multiple authentication backends to specify "user_unknown=ignore"? -- Frank Van Damme A: Because it destroys the flow of the conversation. Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mailing lists or on Usenet? _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list