On Tue, 2013-04-16 at 23:19 +0200, Jonatan Ã…kerlind wrote:
> By reordering the ldap as a Primary for account and also allowing it
> to pass if authinfo_unavail (i.e. no LDAP servers reachable) it works
> as expected for me. This solution is briefly touched in this Ubuntu
> forum thread: http://ubuntuforums.org/showthread.php?t=1585654 .

The problem with moving LDAP to Primary would mean that if pam_unix
allows access, pam_ldap will no longer be consulted. This means that
extra LDAP authorisation checks will be skipped (e.g. the
pam_authz_search option in nslcd.conf or password expiration checks in
slapd).

A little background on the complexities of the authorisation stack is in
#583492.

Can you provide some more information on what happens when the
authorisation fails in your PAM stack (add debug to both pam_unix and
pam_ldap in common-account)?

Thanks,

-- 
-- arthur - [email protected] - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to