[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with group membership enforcement

To: John Ziniti <jziniti@speakeasy.org>
Subject: Re: problem with group membership enforcement
From: Adam Williams <adam@morrison-ind.com>
Date: Fri, 17 Oct 2003 16:42:04 -0400
Cc: ldap list <openldap-software@OpenLDAP.org>
In-reply-to: <3F8EFB48.4010206@speakeasy.org>
References: <1066334118.1636.81.camel@newhotness.CS.Princeton.EDU> <3F8EFB48.4010206@speakeasy.org>

> > Why was I allowed to log in? This is baffling. 
> [snip]
> > account         sufficient      /lib/security/pam_ldap.so
> Here is your problem.  "account" must be set to "required" to
> enforce the group membership.  Be careful, though!!  This
> is enforced for *all* users, including root.  So if a valid
> root account is not in that groups, root cannot log in.

auth	required	/lib/security/pam_listfile.so onerr=fail item=group
sense=allow file=/etc/security/login_limit_list.conf
auth	sufficient	/lib/security/pam_unix.so likeauth nullok
auth	sufficient	/lib/security/pam_ldap.so use_first_pass

$ cat /etc/security/login_limit_list.conf
cis
root
sys
adm
informix
cparts

ftp://ftp.kalamazoolinux.org/pub/pdf/pam_and_nss.pdf

References:
- problem with group membership enforcement
  - From: "Brian K. Jones" <jonesy@CS.Princeton.EDU>
- Re: problem with group membership enforcement
  - From: John Ziniti <jziniti@speakeasy.org>

Prev by Date: Re: kpasswd
Next by Date: RE: kpasswd
Index(es):
- Chronological
- Thread