Package: libpam-ldap
Version: 178-1sarge1
/usr/share/doc/libpam-ldap/README.Debian suggest this configuration for
pam:
- Be very careful when you use "sufficient pam_ldap.so" in Debian's
/etc/pam.d/common-* files: Some services can place other "required"
PAM-modules after the includes, which will be ignored if pam_ldap.so
succeeds. As a workaround, use something like the following construct:
# Check local authentication first, so root can still login
# while LDAP is down.
auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
The third line is needed, so "success=1" can skip over one module and
still has a module to jump to. Without that, PAM segfaults!
but if you install logcheck (i've tried this, but i think that the
problem persist with other log parsing utility) you receive tons of
mail, full with unsuccessful pam_unix login tries.
Clearly you can configure a rule to filter it out, but it is not simply
(logcheck classify it as security events) and it is not properly the
right thing to do... because you risk to filter out... a real security
events! ;-)))
Also i've found on debian wiki page:
http://wiki.debian.org/PAMLDAPSetup
note the first 3 row:
libpam-ldap is not needed for authentication, as this can be
done with pam_unix, which uses nsswitch. However it is needed for
updating LDAP with passwd.
So seems that, at least for 99.999% of ldap users ;), one can simply
forgot to install libpam-ldap at all.
It is not clear if this work for sarge or it is only in
testing/unstable...
Many thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
