Re: problem with PAM and LDAP
On Wed, Aug 22, 2001 at 06:14:33PM +0200, Russell Coker wrote:
> Now the problem is that the presense of libpam-ldap circumvents the
> pam_min_uid setting. This is because the pam_min_uid value is checked in the
> "account" section of PAM not the "auth" section. It's mandatory to have PAM
> setup to use pam_unix.so (for root logins when LDAP is broken). This means
> that if you have pam_min_uid then the system will just use the "account"
> section from pam_unix.so disregarding the failure of "account" in pam_ldap.so.
>
> So my question is, is this a bug in libpam-ldap that should be fixed by
> moving it to the "auth" section? Or is there something in PAM setup that I
> should change to solve this? Or should it be checked in both "auth" and
> "account"?
i brought the question up on pamldap list, and so far i haven't gotten
any answer why pam_min_uid and pam_max_uid is not checked in auth
queries..
one explanation was that account section does the actual validation if
the user has the right to access the service in question..
i haven't tried this, or seen how it works.. but basically it does it's
job.. wether it shows info if the login went ok, that i don't know, but
for what i think it should not look any different to the user wether he
has the wrong password or is restricted with pam_min_uid or
pam_max_uid..
Sami
--
-< Sami Haahtinen >-
-[ Is it still a bug, if we have learned to live with it? ]-
-< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >-
Reply to: