[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP authentication with PAM

>>>>> "Wichert" == Wichert Akkerman <wichert@cistron.nl> writes:

    Wichert> Previously Brian May wrote:
    >> I don't suppose there is anyway of saying "skip the next rule
    >> if this one succeeds" is there?

    Wichert> Not as far as I know; it would be a very useful extension
    Wichert> though.

I can't help but think that the current method is very inflexible.

For instance, something like this would be totally impossible
(although maybe this is beyond the capabilities of PAM too):

if (auth pam_unix) {
  session  pam_unix
  account  pam_unix
  password pam_unix
} else if (auth pam_ldap) {
  session  pam_ldap
  account  pam_ldap
  password pam_ldap
} else { ???
  session pam_deny
  account pam_deny
  password pam_deny

So my point being, if I login via pam_unix, it should use pam_unix
services, but if I login via pam_ldap, it should use pam_ldap
services. I don't think this is possible though, as each service is
considered totally independent.

So with my current setup if I auth via pam_ldap, I could get pam_unix
for session, account, and password services which I consider
unexpected behaviour.
Brian May <bam@debian.org>

Reply to: