Hi! System: Debian 7I have a Debian 7 system that uses libpam-ldap and libnss-ldap to authenticate against an LDAP server. This is working very well without messing with the PAM configuration.
Now I’m trying to restrict the access with the pam_groupdn directive in /etc/pam_ldap.conf. But this is not working. Everyone can login, the LDAP group is not checked.
I found some very old mails saying that common-account is the problem. And indeed, if I change the content of common-account to a version used by SuSE Enterprise 11 (here pam_groupdn is working out of the box) I get the right behaviour.
Not working common-account - begin<<<<<<<<<<<<<<<<<<<<<
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so
Not working common-account - end<<<<<<<<<<<<<<<<<<<<<<<
Working common-account - begin<<<<<<<<<<<<<<<<<<<<<<<<<
account requisite pam_unix.so account sufficient pam_localuser.so account required pam_ldap.so use_first_pass
Working common-account - end<<<<<<<<<<<<<<<<<<<<<<<<<<<
So is this a bug in pam-auth-update (creating a wrong common-account)? A missing documentation telling me I have to change common-account manually? Or another PAM bug?
Shade and sweet water! Stephan -- | Stephan Seitz E-Mail: stse@fsing.rootsland.net | | Public Keys: http://fsing.rootsland.net/~stse/keys.html |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature