[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Pam_ldap group access



Please keep replies on the list.

On Thu, 17 Jun 2010, Indexer wrote:

On 17/06/2010, at 10:34 PM, Aaron Richton wrote:

On Thu, 17 Jun 2010, Indexer wrote:

membership logins a notice appears that says "You must be a memberUid of cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan to login.", but the user is still able to continue and login, and it is not enforcing the group
[...]
account         optional        /usr/local/lib/pam_ldap.so

Of course they're able to continue; that check is optional in a stack that contains other results. See pam.conf(5) man page.

Yes, i have been told that this is the case, and im not to concerned about it right now. What concerns me more, is that Groups aren't being enforced the way i would like them to be. Has anyone got a working configuration or hints? google was not especially helpful, as its a hard problem to "quantify".

I'm totally confused. If you're not "concerned about it right now" why is it your original question, as well as causing "me more" concern in the next sentence?

My hint remains that the check you want to enforce without option has been configured as optional. Read the whole pam.conf(5) man page, then reread the section regarding alternatives to "optional," and determine what you need to configure to enforce the behavior you want.