[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with group membership enforcement



Brian K. Jones wrote:

Why was I allowed to log in? This is baffling.

[snip]

account sufficient /lib/security/pam_ldap.so

Here is your problem. "account" must be set to "required" to enforce the group membership. Be careful, though!! This is enforced for *all* users, including root. So if a valid root account is not in that groups, root cannot log in.

I use the setup you are looking for but I have not been able
to get a decent setup that works around the above problem.  The
best I've been able to come up with is to have the root "stub"
in LDAP be "un-login-able".  This has to do with pam_unix
being too permissive.

HTH,

John Z