Adding pam_ldap.so by masking pam load errors
Absence of ldap distro feature will not generate pam_ldap.so because
of which we might see some unwanted error messages regarding the
failure in opening the pam_ldap.so in journalctl incase if pam_ldap
is present in PAM Configuration.
This commit would:
- Leverage '-' option before the 'type' in pam configuration, by which
the PAM library will not log any errors in the syslog if it is not
able to load the module beacause it is missing in the system.By using
this we don't need two pam configuration files for ldap and unix.
- Leverages ignore_unknown_user & ignore_authinfo_unavail options of
pam_ldap.so, which forces the PAM framework to ignore pam_ldap incase
if the user is not present in LDAP server or if the client cannot
connect to LDAP Server.
(From meta-phosphor rev: 2c7efc937785a76e35a06b6807e12765ad40d99d)
Change-Id: Ic1044989ccae4e6e442de9865cf00cea33f75262
Signed-off-by: manojkiraneda <manojkiran.eda@gmail.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
index 4ac58fb..7bebd9a 100644
--- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
+++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
@@ -8,8 +8,10 @@
# traditional Unix authentication mechanisms.
# here are the per-package modules (the "Primary" block)
-auth [success=ok default=1] pam_tally2.so deny=0 unlock_time=0
-auth [success=1 default=ignore] pam_unix.so nullok_secure
+auth [success=ok default=2] pam_tally2.so deny=0 unlock_time=0
+# Try for local user first, and then try for ldap
+auth [success=2 default=ignore] pam_unix.so nullok_secure
+-auth [success=1 default=ignore] pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;