From 3578559b16bc32eabb5c7c0dca9263c4aa8fe622 Mon Sep 17 00:00:00 2001
From: Matthijs Kooijman <matthijs@stdin.nl>
Date: Tue, 30 Dec 2008 23:56:17 +0100
Subject: [PATCH] pam: Make common-account also support unix users.

This makes sure that common-account supports both unix users (from
passwd) and ldap users. A lot of services don't do real (password)
authentication, but do need to work for both ldap and unix users (cron,
su).

common-auth still only works for ldap users, since those are the only
ones with actual passwords.
---
 etc/pam.d/common-account | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account
index 963b696..9d8619e 100644
--- a/etc/pam.d/common-account
+++ b/etc/pam.d/common-account
@@ -9,5 +9,11 @@
 # Default was:
 #account	required	pam_unix.so
 #
-# LDAP config based on from http://wiki.debian.org/LDAP/PAM
-account         required        pam_ldap.so
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account		required        pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+                                pam_ldap.so
-- 
2.30.2