Re: 5.1 beta2 still in trouble with pam_ldap

• Previous message: Michael Nottebrock: "Re: Vinum problems on 5.1 beta"
• In reply to: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Next in thread: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Reply: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 May 2003 22:37:24 +0300
To: Dag-Erling Smorgrav <des@ofug.org>

On Fri, May 23, 2003 at 04:33:09PM +0200, Dag-Erling Smorgrav wrote:
> Ruslan Ermilov <ru@freebsd.org> writes:
> > In a chain with mutiple "binding" modules, only the _last_
> > failure gets ignored? Meaning, if some other module succeeds,
> > override the failure status, right?
>
> Failure of a "binding" module causes the entire chain to fail once it
> has completed. The error returned is that returned by the first
> non-"optional", non-"sufficient" module that failed.
>
> Failure of a "sufficient" module, on the other hand, is always ignored
> (so if no other non-"optional", non-"sufficient" module failed, the
> chain will succeed). This is what constantly surprises users, and
> what "binding" was introduced to alleviate.
>
> See the PAM article for details - particularly the following two
> sections:
>
> http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html#PAM-CHAINS-POLICIES
> http://www.freebsd.org/doc/en/articles/pam/pam-config.html#PAM-POLICIES
>
Thanks, DES! I think I now understand this much better. :-)

And I have the following question for you:

Why pam_nologin in the "auth" chain of the "login" service is marked
"required" and not "requisite", and why do we have the "required" at
all? What's the point in continuing with the chain if we are going
to return the failure anyway? What's the real application of
"required" as compared to "requisite"?

Cheers,

-- 
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine
http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

• application/pgp-signature attachment: stored

• Previous message: Michael Nottebrock: "Re: Vinum problems on 5.1 beta"
• In reply to: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Next in thread: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Reply: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: 5.1 beta2 still in trouble with pam_ldap ... Meaning, if some other module succeeds, ... override the failure status, right? ... (freebsd-current) Re: 5.1 beta2 still in trouble with pam_ldap ... Meaning, if some other module succeeds, ... > override the failure status, ... Failure of a "binding" module causes the entire chain to fail once it ... (freebsd-current) Re: Safe to lengthen a chain? ... missing a shift while climbing and dropping the chain. ... foot in the pedal and the other on the road at anything above 10mph is ... A drive train failure is similar because ... it occurs when pushing hard, with rider CG ahead of the forward foot, ... (rec.bicycles.tech) Re: Safe to lengthen a chain? ... missing a shift while climbing and dropping the chain. ... I have broken cranks and pedals while riding out of the saddle ... foot in the pedal and the other on the road at anything above 10mph is ... a certain fall to the side of the pedal/crank failure. ... (rec.bicycles.tech) Re: Safe to lengthen a chain? ... missing a shift while climbing and dropping the chain. ... Broken bars or forks are a different story. ... foot in the pedal and the other on the road at anything above 10mph is ... a certain fall to the side of the pedal/crank failure. ... (rec.bicycles.tech)