[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Pam_ldap group access





On Thu, Jun 17, 2010 at 8:04 AM, Aaron Richton <richton@nbcs.rutgers.edu> wrote:
On Thu, 17 Jun 2010, Indexer wrote:

membership logins a notice appears that says "You must be a memberUid of cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan to login.", but the user is still able to continue and login, and it is not enforcing the group
[...]

account         optional        /usr/local/lib/pam_ldap.so

Of course they're able to continue; that check is optional in a stack that contains other results. See pam.conf(5) man page.


I think you want something like:
 
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so


- Adam