Re: Pam_ldap group access

[Aaron Richton <richton@nbcs.rutgers.edu>]

Please keep replies on the list.

On Thu, 17 Jun 2010, Indexer wrote:

> On 17/06/2010, at 10:34 PM, Aaron Richton wrote:
>
> > On Thu, 17 Jun 2010, Indexer wrote:
> >
> > > membership logins a notice appears that says "You must be a memberUid 
> > > of cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan to login.", but the 
> > > user is still able to continue and login, and it is not enforcing the 
> > > group
> > [...]
> > > account         optional        /usr/local/lib/pam_ldap.so
> >
> > Of course they're able to continue; that check is optional in a stack 
> > that contains other results. See pam.conf(5) man page.
> Yes, i have been told that this is the case, and im not to concerned 
> about it right now. What concerns me more, is that Groups aren't being 
> enforced the way i would like them to be. Has anyone got a working 
> configuration or hints? google was not especially helpful, as its a hard 
> problem to "quantify".

I'm totally confused. If you're not "concerned about it right now" why is 
it your original question, as well as causing "me more" concern in the 
next sentence?

My hint remains that the check you want to enforce without option has been 
configured as optional. Read the whole pam.conf(5) man page, then reread 
the section regarding alternatives to "optional," and determine what you 
need to configure to enforce the behavior you want.