problem with PAM and LDAP
We have pam_min_uid and pam_max_uid settings in /etc/pam_ldap.conf for the
obvious reasons.
Anyone who uses libpam-ldap needs to use libnss-ldap so that "ls -l" can show
the owners of files that were created from LDAP logins.
Now the problem is that the presense of libpam-ldap circumvents the
pam_min_uid setting. This is because the pam_min_uid value is checked in the
"account" section of PAM not the "auth" section. It's mandatory to have PAM
setup to use pam_unix.so (for root logins when LDAP is broken). This means
that if you have pam_min_uid then the system will just use the "account"
section from pam_unix.so disregarding the failure of "account" in pam_ldap.so.
So my question is, is this a bug in libpam-ldap that should be fixed by
moving it to the "auth" section? Or is there something in PAM setup that I
should change to solve this? Or should it be checked in both "auth" and
"account"?
Also as a further complication, I want to have pam_unix.so listed before
pam_ldap.so so that if there is a network problem causing LDAP timeouts I can
still login as root.
--
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page
Reply to: