On Sat, Jan 07, 2017 at 11:53:27AM +0800, Frank Yu wrote:
> # grep pam_listfile.so system-auth -A2
> auth required pam_listfile.so \
> _onerr_=fail item=group sense=allow file=/etc/login.group.allowed
Without your complete pam configuration there's really no way to tell
what's going on. For example, what if you have a module configured as
sufficient listed above this line? pam_listfile would never even be
consulted.
All I can really say is that I use pam_listfile as so:
auth requisite pam_listfile.so item=group sense=allow file=/etc/security/authorized_groups.conf _onerr_=fail
and it works fine for me, with groups pulled out of LDAP, the way I have it
integrated into the rest of my pam configuration. That, and you'd
probably be better off taking this inquiry to the pam mailing list as
your issue is most likely with pam configuration, not ldap, assuming a
"getent group <groupname>" returns the group from ldap you're working
with.