On Tue, 2013-04-16 at 23:19 +0200, Jonatan Ã…kerlind wrote: > By reordering the ldap as a Primary for account and also allowing it > to pass if authinfo_unavail (i.e. no LDAP servers reachable) it works > as expected for me. This solution is briefly touched in this Ubuntu > forum thread: http://ubuntuforums.org/showthread.php?t=1585654 .
The problem with moving LDAP to Primary would mean that if pam_unix allows access, pam_ldap will no longer be consulted. This means that extra LDAP authorisation checks will be skipped (e.g. the pam_authz_search option in nslcd.conf or password expiration checks in slapd). A little background on the complexities of the authorisation stack is in #583492. Can you provide some more information on what happens when the authorisation fails in your PAM stack (add debug to both pam_unix and pam_ldap in common-account)? Thanks, -- -- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part

