session type: effect on authorisation

[Frank Van Damme]

Hi list,

I'm customizing a setup (ldap authentication, not on Redhat).

I was wondering what the effect of using controls like "required" or
"optional" on authorisation was in "session". I suppose, if you use
unix authentication with a fallback on ldap, you make the setup for
"session" analogous. But does it matter if you make all the modules
"required"? Probably there will never be a user defined both locally
and in ldap, so what happens if you set the first one "required" as in
the example on the Debian wiki (http://wiki.debian.org/LDAP/PAM)? It
would cause the stack to fail if the user doesn't exist locally, but
in the case of "session" does that even matter, since "session" is
mostly meant for householding?

It seems (just tried it out) that the "account" settings for the
pam_unix module is still used even if the module did not authenticate
the user in "auth" (ie it's a user in ldap); so is the only correct
way to configure the first line(s) in "account" or "session" in a
setup where you use multiple authentication backends to specify
"user_unknown=ignore"?

-- 
Frank Van Damme
A: Because it destroys the flow of the conversation.
Q: Why is it bad?
A: No, it's bad.
Q: Should I top post in replies to mailing lists or on Usenet?