I've subsequently implemented a slightly more elegant solution: # here are the per-package modules (the "Primary" block) account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config
This works. There are more useful options in the pam_ldap.so module, but I can't get them to behave properly and I am not a PAM guru. I'm a bit fed up of locking myself out of my own system. pam-auth-update needs an update. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/799605 Title: pam-auth-update creates a 'common-account' that fails with cached logins To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libpam-ccreds/+bug/799605/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs