Bug 89592

The man page for "pam" explicitly says the following (which does not match the
behaviour of the PAM system shown above):

       service  type  control  module-path  module-arguments

       The  third field, control, indicates the behavior of the PAM-API should
       the module fail to succeed in its authentication task.  There  are  two
       types  of  syntax  for  this control field: the simple one has a single
       simple keyword; the more complicated one  involves  a  square-bracketed
       selection of value=action pairs.
                                                                                
       For  the simple (historical) syntax valid control values are: requisite
       - failure of such a PAM results in the  immediate  termination  of  the
       authentication  process;  required  -  failure of such a PAM will ulti-
       mately lead to the PAM-API returning failure but only after the remain-
       ing stacked modules (for this service and type) have been invoked; suf-
       ficient - success of such a module is enough to satisfy the authentica-
       tion  requirements  of the stack of modules (if a prior required module
       has failed the success of this one is ignored); optional - the  success
       or failure of this module is only important if it is the only module in
       the stack associated with this service+type.
                                                                                
       For the more complicated syntax valid control values have the following
       form:
                                                                                
       [value1=action1value2=action2...]

When the complicated syntax is placed in /etc/pam.d/system-auth when I turn on
LDAP authentication using "authconfig", PAM complains that it cannot open the
module "/lib/security/default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore".

Looks to me like format should be 

account  [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so

The keyword "required" in your example should NOT be there - the
square-bracketed portion of the above line replaces the old-style "required"
keyword.

The segment of man page you posted is referring to the single pam.conf file
method of configuration, where each service is listed in a single file.  Red Hat
uses the more powerful and flexible multi-file pam.d method, where each service
has its' own file named for the service and the syntax you quoted should be
left-shifted to remove the first argument (service name).

Switches following the module specification are module-specific (like the nullok
and authtoken switches, for example) while the square-bracketed stuff works for
any module since it governs the interpretation of the module's return values,
not the actual behaviour of the module.

Hope this helps.  And I hope Red Hat fixes the bug, too.

The man page I extracted from was the RedHat 9 man page. Also, I tried the
format you suggested and it did not work. Read my entire second message and you
will see that I already noted that I had tried that and it was unsuccessful. How
about trying it out and seeing for yourself!

Read the WHOLE man page, not just the section you posted above.  That part you
posted is for a single /etc/pam.conf file, not for a /etc/pam.d/* file set!

I'm running the configuration I posted on *three* RH9 machines without
problems... I tested it before I posted, in fact.  Two of those machines are
fairly mission-critical.

But I don't use GDM, since I rarely run Xwindows.  X is too bloated and
unreliable for any of my production boxes.  So I can't reproduce your error
messages anyway.

Maybe if you re-read my earlier post while counting the fields in your
/etc/pam.d/system-auth you will notice something...