RE: Pam password authentication

["Mackey, Theral" <tmackey@zetta.net>]

> 
> pam.d/sshd
> 
> auth            sufficient      pam_opie.so             no_warn
> no_fake_prompts
> auth            requisite       pam_opieaccess.so       no_warn
> allow_local
> auth           sufficient      /usr/local/lib/pam_ldap.so no_warn
> use_first_pass
> auth            sufficient      pam_unix.so             no_warn
> try_first_pass
> 
> account         required        pam_nologin.so
> account         required        pam_login_access.so
> account         optional        pam_unix.so
> account         optional        /usr/local/lib/pam_ldap.so
> 
> session         required        pam_permit.so
> session         optional      /usr/local/lib/pam_ldap.so
> 
> password        sufficient      /usr/local/lib/pam_ldap.so      no_warn
> use_athtok   use_first_pass
> password        sufficient      pam_unix.so             no_warn
> try_first_pass

This is more of a pam config problem than openldap related... but your account section probably needs either ldap or unix to be required/sufficient rather than optional. As it is now it will check that there is no nologin file, and then check through your pam login.access file, it will check that the user exists in passwd or ldap but wont fail if it isnt, just that it meets criteria set in the access file, which might be setup to allow anything in. Also, your auth section is setup such that if opie succeeds, you are auth'd, it wont bother to check ldap or unix because if it fails, it will return failure immedaitely (that's what requisite does). Id be careful with the use of "optional" in pamconfig, espcially around the auth and account sections. I would reserve its use for session (if anywhere), as its more of a "try it, if it works Ok, if not, so what" rule, good for homedir creation or displaying motd (so if it fails, you still get in, since its not critical you see motd or have a homedir, but nice if it does work).

-T