sufficient pam_ldap.so
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ldap-auth-client (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: ldap-auth-client
On all the systems where I setup libpam-ldap, prior to auth-client-config, I used the construct recommended by /usr/share/
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_ldap.so minimum_uid=1000 use_first_pass
auth requisite pam_permit.so
I'm excited to try auth-client-config, to avoid hand editing lots of files, however I noticed that /etc/auth-
[...]
- Be very careful when you use "sufficient pam_ldap.so" in Debian's
/etc/pam.d/common-* files: Some services can place other "required"
PAM-modules after the includes, which will be ignored if pam_ldap.so
succeeds. As a workaround, use something like the following construct:
[...]
A side benefit of the construct recommended by README.Debian is that "local authentication is checked first, so root can still login if LDAP is down."
I created my own /etc/auth-
Is the advice of README.Debian outdated or overly paranoid?
Thanks and best wishes, Jack
Among possible side-effect, this would interfere with the documented way of setting up pam_mount (per the README.Debian of libpam-mount).