On Wed, Jun 08, 2011 at 12:29:45PM +0200, Luca Capello wrote:
> > While I'm still weighing whether to change pam_unix for bug #583492, it is
> > definitely the case that pam_ldap's authorization checks should be
> > 'Additional' and not 'Primary' because, as seen here, they are intended to
> > always be applied *in addition* to any authorization checks from other
> > modules.

> Mmm, again, I am not a PAM expert, but the above is not true *if* it is
> possible to not have any pam_unix (or any other 'Primary' module) checks
> at all, thus relying on pam_ldap only.  Obviously, this applies to
> libpam-ldapd as well.

That's not the model in use.  What you're saying is that you want the
pam_ldap authorization checks to always be enforced; that's an 'Additional'
profile, regardless of what other profiles are enabled.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
[email protected]                                     [email protected]

Attachment: signature.asc
Description: Digital signature

Reply via email to