Re: LDAP authentication with PAM
>>>>> "Wichert" == Wichert Akkerman <wichert@cistron.nl> writes:
Wichert> Previously Brian May wrote:
>> I don't suppose there is anyway of saying "skip the next rule
>> if this one succeeds" is there?
Wichert> Not as far as I know; it would be a very useful extension
Wichert> though.
I can't help but think that the current method is very inflexible.
For instance, something like this would be totally impossible
(although maybe this is beyond the capabilities of PAM too):
if (auth pam_unix) {
session pam_unix
account pam_unix
password pam_unix
} else if (auth pam_ldap) {
session pam_ldap
account pam_ldap
password pam_ldap
} else { ???
session pam_deny
account pam_deny
password pam_deny
}
So my point being, if I login via pam_unix, it should use pam_unix
services, but if I login via pam_ldap, it should use pam_ldap
services. I don't think this is possible though, as each service is
considered totally independent.
So with my current setup if I auth via pam_ldap, I could get pam_unix
for session, account, and password services which I consider
unexpected behaviour.
--
Brian May <bam@debian.org>
Reply to: