Package: libpam-ldapd Version: 0.7.3 Severity: wishlist I noticed this when comparing the libpam-heimdal setup with the libpam-ldapd setup for pam-auth-update. The kerberos module is set up to only authenticate users with uid >= 1000, which seem like a sensible thing to do. The root user for example should only be allowed to log in using a local password.
This patch implement the pam-auth-update part of the change, but the option minimum_uid do not seem to be implemented by libpam-ldapd, so the change is not enough. Please implement such option, and make the module limit itself to users with uid >= 1000 by default. --- nss-pam-ldapd-0.7.3/debian/libpam-ldapd.pam-auth-update 2009-10-07 21:12:53.000000000 +0200 +++ nss-pam-ldapd-0.7.3-pere/debian/libpam-ldapd.pam-auth-update 2010-04-28 19:53:44.000000000 +0200 @@ -3,17 +3,17 @@ Priority: 128 Auth-Type: Primary Auth-Initial: - [success=end default=ignore] pam_ldap.so + [success=end default=ignore] pam_ldap.so minimum_uid=1000 Auth: - [success=end default=ignore] pam_ldap.so use_first_pass + [success=end default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass Account-Type: Primary Account: - [success=end default=ignore] pam_ldap.so + [success=end default=ignore] pam_ldap.so minimum_uid=1000 Password-Type: Primary Password-Initial: - [success=end default=ignore] pam_ldap.so + [success=end default=ignore] pam_ldap.so minimum_uid=1000 Password: - [success=end default=ignore] pam_ldap.so try_first_pass + [success=end default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass Session-Type: Additional Session: - optional pam_ldap.so + optional pam_ldap.so minimum_uid=1000 Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
