> > If so, then when I tried those modifications, I couldn't figure out > > how to get reasonable behavior. If you have > > > > auth sufficient pam_ldap.so > > auth required pam_unix_auth.so try_first_pass > > > > then if the entry is found in ldap, pam returns and you never execute > > things like motd, etc. which is not what you want. > > I used this complex invokation, you'll need an appropriately bug-fixed pam > library (Ben, you have my patches..) > > auth requisite pam_securetty.so > auth [success=1 default=ignore] pam_unix_auth.so > auth required pam_ldap.so use_first_pass > auth optional pam_group.so > auth optional pam_mail.so
Another solution (that I did) is to just place those optional modules BEFORE pam_ldap.so. Seems to work fine for me. Anyone sees a reason not to do so ? I agree, however, that the complex method got to be fixed - it is too cool not to use it. Sergey.
