PAM LDAP Authentication
Hi, thanks for you edits to LDAP Authentication! I was hoping someone would update the PAM section, as I know little about the subject.
However, I was wondering about the following section:
First edit /etc/pam.d/system-auth. (...) Make pam_ldap.so sufficient at the top of each section, except in the session section, where we make it optional.
Could you explain why the session section is other than the rest? I would really appreciate it, and I think it would be useful to add the explaination to the page!
- The arch devs seem to pull a lot of upstream decisions from fedora, so their pam documentation should apply nicely to us. (I guess pam is pretty generic, but our conf.d is organized similar to theirs.) Looking over that should give a pretty good idea of what sufficient, required, and optional do and some idea what auth, account, password, and session are.
- Now that said, I'm still not entirely sure what session does ;) The upstream configuration example for nss-pam-ldapd shows session as optional, as do several other examples I've seen. Today's edits to the wiki were very much the result of my own experimentation.
- I suppose I would expect sufficient to also work for session (as the documentation says failures are ignored). That's probably something to ask upstream.Bobpaul (talk) 00:07, 14 November 2013 (UTC)