[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: problem with group membership enforcement

To: "'John Ziniti'" <jziniti@speakeasy.org>, ldap list <openldap-software@OpenLDAP.org>
Subject: RE: problem with group membership enforcement
From: "Smith, Steve" <Steve.Smith@CommerzbankIB.com>
Date: Thu, 16 Oct 2003 22:12:21 +0100

Wouldn't use of the the 'ignore_unknown_user' option avoid this drawback on
the account entry?

> -----Original Message-----
> From: John Ziniti [mailto:jziniti@speakeasy.org]
> Sent: 16 October 2003 21:11
> To: ldap list
> Subject: Re: problem with group membership enforcement
> 
> 
> Brian K. Jones wrote:
> > 
> > Why was I allowed to log in? This is baffling. 
> 
> [snip]
> 
> > account         sufficient      /lib/security/pam_ldap.so
> 
> Here is your problem.  "account" must be set to "required" to
> enforce the group membership.  Be careful, though!!  This
> is enforced for *all* users, including root.  So if a valid
> root account is not in that groups, root cannot log in.
> 
> I use the setup you are looking for but I have not been able
> to get a decent setup that works around the above problem.  The
> best I've been able to come up with is to have the root "stub"
> in LDAP be "un-login-able".  This has to do with pam_unix
> being too permissive.
> 
> HTH,
> 
> John Z
> 

********************************************************************** 
This is a commercial communication from Commerzbank AG.

This communication is confidential and is intended only for the person to
whom it is addressed.  If you are not that person you are not permitted to
make use of the information and you are requested to notify
<mailto:LONIB.Postmaster@commerzbankib.com> immediately that you have
received it and then destroy the copy in your possession.

Commerzbank AG may monitor outgoing and incoming e-mails. By replying to
this e-mail you consent to such monitoring. This e-mail message and any
attached files have been scanned for the presence of computer viruses.
However, you are advised that you open attachments at your own risk.

This email was sent either by Commerzbank AG, London Branch, or by
Commerzbank Securities, a division of Commerzbank.  Commerzbank AG is a
limited liability company incorporated in the Federal Republic of Germany.
Registered Company Number in England BR001025. Our registered address in
the UK is 23 Austin Friars, London, EC2P 2JD. We are regulated by the
Financial Services Authority for the conduct of investment business in the
UK and we appear on the FSA register under number 124920. 

**********************************************************************

Prev by Date: OpenLDAP + Kerberos
Next by Date: Re: slapindex utility and selective indexing
Index(es):
- Chronological
- Thread