X-Git-Url: https://git.stderr.nl/gitweb?a=blobdiff_plain;f=etc%2Fpam.d%2Fcommon-account;h=9d8619edfdc269bf39a77030f4cf178daba510d8;hb=refs%2Fheads%2Fmail;hp=6798301962a745e7d5a8ea9b2f9d26b172eb3cbd;hpb=c2774739de942b750691e9a155dc003bae24afb8;p=matthijs%2Fservers%2Fdrsnuggles.git

diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account
index 6798301..9d8619e 100644
--- a/etc/pam.d/common-account
+++ b/etc/pam.d/common-account
@@ -6,4 +6,14 @@
 # the central access policy for use on the system.  The default is to
 # only deny service to users whose accounts are expired in /etc/shadow.
 #
-account	required	pam_unix.so
+# Default was:
+#account	required	pam_unix.so
+#
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account		required        pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+                                pam_ldap.so