That makes it worse. See log output with it both ways at <a href="http://pastebin.com/m5fca56">http://pastebin.com/m5fca56</a>.<br><br>With the pam_ldap line where it was, I'm at least able to get "(Invalid credentials)" returned from pam_ldap;when moved up above the pam_unix line, pam_ldap never makes a response.<br>
<br><br><br><a href="http://pastebin.com/m5fca56">http://pastebin.com/m5fca56</a><br><br><div class="gmail_quote">On Wed, Jun 3, 2009 at 12:50 PM, Jim Kinney <span dir="ltr"><<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">move the pam_ladp line up one. The line above it will always capture<br>
an event and the ldap line is never called. pam is a sequential<br>
process down the chain.<br>
<br>
In fact, if you want to tighten the security, put the pam_deny line<br>
before any "sufficient" lines in auth.<br>
<div><div></div><div class="h5"><br>
On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<<a href="mailto:jeffrey.hubbs@gmail.com">jeffrey.hubbs@gmail.com</a>> wrote:<br>
> Jerald -<br>
><br>
> That line is in there...in fact, let me paste the whole system-auth file:<br>
><br>
> #%PAM-1.0<br>
><br>
> auth required pam_env.so<br>
> auth sufficient pam_unix.so try_first_pass likeauth nullok<br>
> auth sufficient pam_ldap.so use_first_pass<br>
> auth required pam_deny.so<br>
><br>
> account required pam_unix.so<br>
> account sufficient pam_ldap.so<br>
><br>
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2<br>
> ocredit=2 try_first_pass retry=3<br>
> password sufficient pam_unix.so try_first_pass nullok md5 shadow<br>
> use_authtok<br>
> password sufficient pam_ldap.so use_authtok<br>
> password required pam_deny.so<br>
><br>
> session required pam_limits.so<br>
> session required pam_unix.so<br>
> session optional pam_ldap.so<br>
><br>
><br>
>><br>
>><br>
>> Also, to let pam know about ldap, look for a line like so:<br>
>><br>
>> auth sufficient pam_ldap.so use_first_pass<br>
>><br>
>> in /etc/pam.d/system-auth<br>
>><br>
>> Also, if you want to have home directories automagically made for<br>
>> first-time logins, you need:<br>
>><br>
>> session required pam_mkhomedir.so<br>
><br>
> Cool trick - dunno if I'll use that now but it's good to know.<br>
><br>
> Thanks,<br>
> Jeff<br>
><br>
</div></div>> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
><br>
><br>
<br>
<br>
<br>
--<br>
<font color="#888888">--<br>
James P. Kinney III<br>
Actively in pursuit of Life, Liberty and Happiness<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
</font></blockquote></div><br>