On 1/3/15 9:31 PM, John Nemeth wrote:
On Jan 3, 3:34am, Louis Guillaume wrote:
} So to sum up:
}
} o All the pieces work fine together, normally.
} o Authentication using LDAP succeeds where it should.
} o Saslauthd does it's thing with no problem.
} o Sendmail does it's thing with no problem.
}
} o Because it takes deleting the local user account to make the
} problem go away, I am led to believe that the failure is with
} PAM. I think that, when pam_ldap.so fails, it tries the system
} config and for some reason it authenticates the user.
Yes, of course, since that's exactly what you're telling it
to do. From "man pam.conf":
sufficient If this module succeeds, the chain is broken and the result
is success. If it fails, the rest of the chain still runs,
but the final result will be failure unless a later module
succeeds.
What the system config does is unknown, since you didn't show it.
}-- End of excerpt from Louis Guillaume
You make a good point - The authentication should stop with LDAP in this
case (smtp) and "system" should be out of the picture. I've removed the
"include" for the system config and changed the pam_ldap entry to be
"required". It's the obvious way to stop the bleeding here.
But I still have to wonder what was causing PAM to successfully
authenticate the user. Now that I've got things to be sane again, I can
research further. The latest theory is an old Kerberos account for this
user (with the old password) was the culprit.
Thank you for your help!
Louis
