Because you have specified that the failure of pam_ldap is not fatal to the account stack. The "sufficient" control means: If this module returns success, then stop stack processing and return success to the application. Otherwise continue processing.
Since the access check constitutes a "failure" and "sufficient" effectively ignores failures, you've made the access checks useless. :)
You probably want to set it to "required", but there are a couple of options to mask certain failure modes you may need to set so that you get the proper fallback to local logins. Those options are
ignore_unknown_user ignore_authinfo_unavail
Add thesse to the end of the 'account ..pam_ldap' line.
in fact, this is really working with such options:
---
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
# session #session optional pam_ssh.so session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
---
iam very amazed, because i thought that with this ldap line its also necessary that
'account required pam_unix.so' must return 'ok' that the authorization part is successfull, but the ldap account is there not available.
but thanks anyway it solved my requirements!
regards, christian _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
