[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Devel] Strange PAM configuration?
* Petter Reinholdtsen
| -account sufficient pam_unix.so
| -account required pam_ldap.so
| +account sufficient pam_ldap.so
| +account required pam_unix.so
| session required pam_unix.so
| +password required pam_unix.so nullok obscure min=4 max=8 md5
|
| Why is 'account pam_unix' sufficient for su, but required for kde?
| Why is 'account pam_ldap' required for su, but sufficient for kde?
Order is important. sufficient means «don't try more if this
matches». You don't want to force ldap for su, since it can then time
out while trying to authenticate you (or it can just take a whole lot
of time while you are trying to get that root shell to fix your
system).
So, it looks right to me. (One could argue that kdm should have the
same order as su, but that would cause local unix accounts to override
LDAP accounts, something which I'm not sure we want.)
--
Tollef Fog Heen ,''`.
UNIX is user friendly, it's just picky about who its friends are : :' :
`. `'
`-