On Wed, 2011-06-08 at 09:27 -0700, Steve Langasek wrote: > That's not the model in use. What you're saying is that you want the > pam_ldap authorization checks to always be enforced; that's an 'Additional' > profile, regardless of what other profiles are enabled.
It's not uncommon to not provide shadow information from LDAP which means that pam_unix will currently deny access. Then, the "Additional" section isn't reached at all and pam_ldap should be "Primary" for things to work. FWIW, pam_ldap (and nss-pam-ldapd in the 0.8 branch) perform basically the same checks for shadow information that pam_unix would perform (and a few more) which means that it wouldn't need pam_unix at all which would be an argument to keep it "Primary". Also, for some checks (password expiry mostly) this cannot be done by pam_unix because the authentication wasn't done by pam_unix. I think pam_unix only warns about password expiry if you just logged in with a password (instead of say su or ssh key-based authentication). (note this is separate from account expiry). -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
