Re: LDAP authentication with PAM
On 14 Apr 2001, Brian May wrote:
> >>>>> "Wichert" == Wichert Akkerman <wichert@cistron.nl> writes:
> Wichert> Previously Brian May wrote:
> >> 1. pam_lastlog, pam_motd, pam_mail, etc do not appear to get
> >> used if pam_unix is used. I think this is because pam_ldap
> >> fails, and further processing is stopped.
> Wichert> That is because you used `sufficient' instead of
> Wichert> `required' for pam_unix: that one succeeds and PAM
> Wichert> doesn't bother to process the rest anymore.
> I don't suppose there is anyway of saying "skip the next rule if this
> one succeeds" is there?
> Otherwise, like I said, I will have to move these lines down to the
> bottom.
session [success=1 default=ok] pam_unix.so
session required pam_ldap.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
This is a Linux-specific extension to PAM which has been available for some
time now. It's documented in section 4.1 of the Linux-PAM System
Administrators' Guide: 'Configuration file syntax'. See the libpam-doc
package for the relevant documentation.
However, there's probably an easier way to do what you want here. The
pam_unix session module is a complete no-op, and I suspect that this may be
true for pam_ldap as well. In which case, you can pick one of [pam_unix,
pam_ldap, pam_permit], put that at the top, and put your other three modules
immediately after.
Regards,
Steve Langasek
postmodern programmer
Reply to: