Merge commit 'origin/template' into mysql

author root <root@template.drsnuggles.stderr.nl>

Tue, 30 Dec 2008 23:01:53 +0000 (00:01 +0100)

committer root <root@template.drsnuggles.stderr.nl>

Tue, 30 Dec 2008 23:01:53 +0000 (00:01 +0100)
author root <root@template.drsnuggles.stderr.nl>
Tue, 30 Dec 2008 23:01:53 +0000 (00:01 +0100)
committer root <root@template.drsnuggles.stderr.nl>
Tue, 30 Dec 2008 23:01:53 +0000 (00:01 +0100)
diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account

index 963b69665b81883d80b384d4ab534d673ee3bec4..9d8619edfdc269bf39a77030f4cf178daba510d8 100644 (file)
--- a/etc/pam.d/common-account
+++ b/etc/pam.d/common-account
@@ -9,5 +9,11 @@
  # Default was:
  #account       required        pam_unix.so
  #
-# LDAP config based on from http://wiki.debian.org/LDAP/PAM
-account         required        pam_ldap.so
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account                required        pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+                                pam_ldap.so
diff --git a/etc/pam.d/cron b/etc/pam.d/cron

index 938d30f297dc0ef8cfb5651bb6385a9ce9f345cd..d85f4138357ec080003270e3843e818d68b6ee48 100644 (file)
--- a/etc/pam.d/cron
+++ b/etc/pam.d/cron
@@ -2,15 +2,13 @@
  # The PAM configuration file for the cron daemon
  #
  
+# cron uses pam_set_cred so it needs a working auth section. It does not do
+# any other real authentication.
  auth          sufficient          pam_unix.so
-@include      common-auth
  
-# This is required instead of sufficient, since pam_unix mostly does checks
-# based on NSS, so this will also work for ldap users.
-account       required          pam_unix.so
-# We use a custom control spec so we won't fail on user_unknown special
-account       [success=ok new_authtok_reqd=ok user_unknown=ignore ignore=ignore default=bad] pam_ldap.so
+@include      common-auth
  
+@include      common-account
  
  @include      common-session
  
diff --git a/etc/pam.d/other b/etc/pam.d/other

index 867cf9172956768ea8ab3ccc44445c3f6d30f35a..f7ff035277bb650c4c15e79931db179d6d536d80 100644 (file)
--- a/etc/pam.d/other
+++ b/etc/pam.d/other
@@ -8,7 +8,7 @@
  #
  # We deny any pam calls not explicitely allowed elsewhere.
  
-auth        required pam_deny
-account     required pam_deny
-session     required pam_deny
-password    required pam_deny
+auth        required pam_deny.so
+account     required pam_deny.so
+session     required pam_deny.so
+password    required pam_deny.so
diff --git a/etc/pam.d/su b/etc/pam.d/su

index ab107dafb95d59cc6e511382c1871cacb3f0f798..eabc90992852d77b5d939467737adb13dc447cde 100644 (file)
--- a/etc/pam.d/su
+++ b/etc/pam.d/su
@@ -4,3 +4,5 @@
  
  # This allows root to su without passwords (normal operation)
  auth       sufficient pam_rootok.so
+@include   common-account
+@include   common-session
author	root <root@template.drsnuggles.stderr.nl>
	Tue, 30 Dec 2008 23:01:53 +0000 (00:01 +0100)
committer	root <root@template.drsnuggles.stderr.nl>
	Tue, 30 Dec 2008 23:01:53 +0000 (00:01 +0100)
etc/pam.d/common-account		patch \| blob \| history
etc/pam.d/cron		patch \| blob \| history
etc/pam.d/other		patch \| blob \| history
etc/pam.d/su		patch \| blob \| history