We have an OpenLDAP server configured to use the password policy overlay in order to lock users when they reach a certain number of failed password attempts. This is working perfectly but when a user is locked out the GDM login prompt does not give any indication that that is the case, it simply says "authentication failed". Is there anyway to configure either pam_ldap or the pam.d/gdm file to show why authentication is failing? Our clients are CentOS 6 and our /etc/pam.d/system-auth file looks like this: auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth requisite pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Most of the stuff there is the default except for the lines that use pam_ldap.so Thanks! |