[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: problem with group membership enforcement
Brian K. Jones wrote:
Why was I allowed to log in? This is baffling.
[snip]
account sufficient /lib/security/pam_ldap.so
Here is your problem. "account" must be set to "required" to
enforce the group membership. Be careful, though!! This
is enforced for *all* users, including root. So if a valid
root account is not in that groups, root cannot log in.
I use the setup you are looking for but I have not been able
to get a decent setup that works around the above problem. The
best I've been able to come up with is to have the root "stub"
in LDAP be "un-login-able". This has to do with pam_unix
being too permissive.
HTH,
John Z