Here to answer my own question after a little more RTFM. The preceding common-auth lines are set up using the new-fangled jump feature:
------ auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so ------ success=2 means jump over the next 2 modules. It still seems that auth required pam_permit.so is never useful, unless default=ignore means don't return PAM-API success for this module. The documentation is pretty sparse on this matter. It's not at all clear to me how this is an improvement over the much simpler auth sufficient pam_unix.so nullok_secure auth sufficient pam_ldap.so use_first_pass Also, the use_first_pass on the pam_ldap line seems entirely incorrect and should be issuing syslog errors, based on the definition of use_first_pass. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss