Comment 26 for bug 869684

Revision history for this message
Teppo Sulavuori (sulate) wrote :

I've been having this problem also for some time now. I did some more testing with pam configuration and found out that there is something broken(?) in using combination of pam_unix and pam_ldap with auth and account management group types.

So this does NOT work (in file /etc/pam.d/vsftpd):
----------
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_permit.so

auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_permit.so
----------

BUT this DOES work (for both unix-only and ldap-only users, although now ldap has precedence of course):
---------
account sufficient pam_ldap.so
account sufficient pam_unix.so
account required pam_permit.so

auth sufficient pam_ldap.so
auth sufficient pam_unix.so use_first_pass
auth required pam_permit.so
---------

Additionally order of pam_unix and pam_ldap does not matter with session and password types.

Also if you use pam_unix ONLY in either of account OR auth before pam_ldap, then it also fails.

So something strange going on with pam_unix.so perhaps?