How to make Tectia Server use only PAM for account validation? Now it seems the server does some checks also outside of PAM.
asked Jan 17 '11 at 10:48
SSH KB ♦
The default behavior of Tectia Server is to always run checks for account validity, for example to see if the password is expired or if the account is locked. In some cases the account may appear to be locked when checking the status using standard system calls, but PAM would still let the user log in.
This kind of situation can typically arise when the users have entries in local files and in a directory service such as LDAP or NIS+. For example, if the password field in the local files shows the account to be locked, the Tectia Server can prevent the user from logging in even though the user would have a working password in LDAP. To allow login for these users, the server can be configured to use only PAM for account checking.
The configuration option for this is
<params> <!-- Possible crypto-lib element as the first element in the params block --> <settings pam-account-checking-only="yes" /> <!-- Possible other elements in the params block --> <pluggable-authentication-modules pam-calls-with-commands="yes" /> </params>
answered Jan 17 '11 at 10:51
SSH KB ♦