Bug 89592
Summary: | authconfig formats LDAP account entry wrong in /etc/pam.d/system-auth | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux Beta | Reporter: | Walter Rowe <walter_rowe> |
Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | beta1 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-10-15 07:43:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Walter Rowe
2003-04-24 18:42:30 UTC
The man page for "pam" explicitly says the following (which does not match the behaviour of the PAM system shown above): service type control module-path module-arguments The third field, control, indicates the behavior of the PAM-API should the module fail to succeed in its authentication task. There are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a square-bracketed selection of value=action pairs. For the simple (historical) syntax valid control values are: requisite - failure of such a PAM results in the immediate termination of the authentication process; required - failure of such a PAM will ulti- mately lead to the PAM-API returning failure but only after the remain- ing stacked modules (for this service and type) have been invoked; suf- ficient - success of such a module is enough to satisfy the authentica- tion requirements of the stack of modules (if a prior required module has failed the success of this one is ignored); optional - the success or failure of this module is only important if it is the only module in the stack associated with this service+type. For the more complicated syntax valid control values have the following form: [value1=action1value2=action2...] When the complicated syntax is placed in /etc/pam.d/system-auth when I turn on LDAP authentication using "authconfig", PAM complains that it cannot open the module "/lib/security/default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore". Looks to me like format should be account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so The keyword "required" in your example should NOT be there - the square-bracketed portion of the above line replaces the old-style "required" keyword. The segment of man page you posted is referring to the single pam.conf file method of configuration, where each service is listed in a single file. Red Hat uses the more powerful and flexible multi-file pam.d method, where each service has its' own file named for the service and the syntax you quoted should be left-shifted to remove the first argument (service name). Switches following the module specification are module-specific (like the nullok and authtoken switches, for example) while the square-bracketed stuff works for any module since it governs the interpretation of the module's return values, not the actual behaviour of the module. Hope this helps. And I hope Red Hat fixes the bug, too. The man page I extracted from was the RedHat 9 man page. Also, I tried the format you suggested and it did not work. Read my entire second message and you will see that I already noted that I had tried that and it was unsuccessful. How about trying it out and seeing for yourself! Read the WHOLE man page, not just the section you posted above. That part you posted is for a single /etc/pam.conf file, not for a /etc/pam.d/* file set! I'm running the configuration I posted on *three* RH9 machines without problems... I tested it before I posted, in fact. Two of those machines are fairly mission-critical. But I don't use GDM, since I rarely run Xwindows. X is too bloated and unreliable for any of my production boxes. So I can't reproduce your error messages anyway. Maybe if you re-read my earlier post while counting the fields in your /etc/pam.d/system-auth you will notice something... |