Public bug reported: Binary package hint: ldap-auth-client
On all the systems where I setup libpam-ldap, prior to auth-client- config, I used the construct recommended by /usr/share/doc/libpam- ldap/README.Debian: auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_ldap.so minimum_uid=1000 use_first_pass auth requisite pam_permit.so I'm excited to try auth-client-config, to avoid hand editing lots of files, however I noticed that /etc/auth-client-config/profile.d/ldap-auth-config does exactly what README.Debian cautions against: [...] - Be very careful when you use "sufficient pam_ldap.so" in Debian's /etc/pam.d/common-* files: Some services can place other "required" PAM-modules after the includes, which will be ignored if pam_ldap.so succeeds. As a workaround, use something like the following construct: [...] A side benefit of the construct recommended by README.Debian is that "local authentication is checked first, so root can still login if LDAP is down." I created my own /etc/auth-client-config/profile.d/mine profile which implements the README.Debian construct, but I wonder why ldap-auth- config uses "sufficient pam_ldap.so", and checks pam_ldap.so before pam_unix.so Is the advice of README.Debian outdated or overly paranoid? Thanks and best wishes, Jack ** Affects: ldap-auth-client (Ubuntu) Importance: Undecided Status: New -- sufficient pam_ldap.so https://bugs.launchpad.net/bugs/221261 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs