[CentOS] ldap host attribute is ignored

Sat May 9 20:24:44 UTC 2015
Jonathan Billings <billings at negate.org>

On May 8, 2015, at 11:14 AM, Ulrich Hiller <hiller at mpia-hd.mpg.de> wrote:
> 
> /etc/pam.d/system-auth:
> -----------------------
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 200 quiet_success
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
> auth    required        pam_env.so
> auth    optional        pam_gnome_keyring.so
> 
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 2000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
> account requisite       pam_unix.so     try_first_pass
> account sufficient      pam_localuser.so
> account required        pam_sss.so      use_first_pass
> account sufficient      pam_localuser.so
> 
> password    requisite     pam_pwquality.so try_first_pass
> local_users_only retry=3 authtok_type=
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
> password        requisite       pam_cracklib.so
> password        optional        pam_gnome_keyring.so    use_authtok
> password        sufficient      pam_unix.so     use_authtok nullok
> shadow try_first_pass
> password        required        pam_sss.so      use_authtok
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     sufficient      pam_sss.so
> session required        pam_unix.so     try_first_pass
> session optional        pam_umask.so
> session optional        pam_gnome_keyring.so    auto_start
> only_if=gdm,gdm-password,lxdm,lightdm


Is it normal to have pam_unix and pam_sss twice for each each section?

--
Jonathan Billings <billings at negate.org>