On Wed, Jun 08, 2011 at 12:29:45PM +0200, Luca Capello wrote: > > While I'm still weighing whether to change pam_unix for bug #583492, it is > > definitely the case that pam_ldap's authorization checks should be > > 'Additional' and not 'Primary' because, as seen here, they are intended to > > always be applied *in addition* to any authorization checks from other > > modules.
> Mmm, again, I am not a PAM expert, but the above is not true *if* it is > possible to not have any pam_unix (or any other 'Primary' module) checks > at all, thus relying on pam_ldap only. Obviously, this applies to > libpam-ldapd as well. That's not the model in use. What you're saying is that you want the pam_ldap authorization checks to always be enforced; that's an 'Additional' profile, regardless of what other profiles are enabled. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [email protected] [email protected]
signature.asc
Description: Digital signature

