I recognized a strange behavior of PAM. My Plan was to do Authorization through pam_unix.so and pam_ldap.so I have the following configuration for this: --- account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so --- when the user neither exist in ldap nor in /etc/passwd then the auhtorization is nevertheless successful... this behavior isnt what i expected. i want to do authorization through pam_ldap.so and pam_unix.so
> huh? as in a user that more or less does *not* exist on your system canlog> in? do you have any other authentication modules that the system falls to?Sure, authentication is enabled too, but i want to limit access through authorization. here my whole pam.d/sshd configuration: --- # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session session required pam_permit.so # password password required pam_unix.so no_warn try_first_pass --- when i login to the system i become the message: --- You must be a uniqueMember of cn=klever,ou=hosts,dc=xxx,dc=xxx,dc=xxx to login. --- but exactly this is not true, then why i can login?
> huh? as in a user that more or less does *not* exist on your system canlog> in? do you have any other authentication modules that the system falls to?Sure, authentication is enabled too, but i want to limit access through authorization. here my whole pam.d/sshd configuration: --- # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session session required pam_permit.so # password password required pam_unix.so no_warn try_first_pass --- when i login to the system i become the message: --- You must be a uniqueMember of cn=klever,ou=hosts,dc=xxx,dc=xxx,dc=xxx to login. --- but exactly this is not true, then why i can login?
On Wednesday 10 November 2004 20:13, Christian Meutes wrote:> I recognized a strange behavior of PAM. My Plan was to do Authorization > through pam_unix.so and pam_ldap.so > I have the following configuration for this: > --- > account required pam_login_access.so > account sufficient /usr/local/lib/pam_ldap.so > account required pam_unix.so > --- > > when the user neither exist in ldap nor in /etc/passwd then the > auhtorization is nevertheless successful... this behavior isnt what ihuh? as in a user that more or less does *not* exist on your system can log in? do you have any other authentication modules that the system falls to?> expected. > > i want to do authorization through pam_ldap.so and pam_unix.so > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"