[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

problem with PAM and LDAP

We have pam_min_uid and pam_max_uid settings in /etc/pam_ldap.conf for the 
obvious reasons.

Anyone who uses libpam-ldap needs to use libnss-ldap so that "ls -l" can show 
the owners of files that were created from LDAP logins.

Now the problem is that the presense of libpam-ldap circumvents the 
pam_min_uid setting.  This is because the pam_min_uid value is checked in the 
"account" section of PAM not the "auth" section.  It's mandatory to have PAM 
setup to use pam_unix.so (for root logins when LDAP is broken).  This means 
that if you have pam_min_uid then the system will just use the "account" 
section from pam_unix.so disregarding the failure of "account" in pam_ldap.so.


So my question is, is this a bug in libpam-ldap that should be fixed by 
moving it to the "auth" section?  Or is there something in PAM setup that I 
should change to solve this?  Or should it be checked in both "auth" and 
"account"?

Also as a further complication, I want to have pam_unix.so listed before 
pam_ldap.so so that if there is a network problem causing LDAP timeouts I can 
still login as root.

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page
Reply to: