Dear Maintainer,

We were trying to configure PAM authentication to use LDAP, Radius, and local (pam_unix) authentication sources in that order, so we ran "sudo pam-auth-update --enable ldap radius unix".  Alas it's written in the descending priority order coming from the /usr/share/pam-configs/ files.

It would be useful to allow the user to override those priorities so I don't have to run "pam-auth-update" then "sudoedit /etc/pam.d/common-auth" to achieve the ordering I desire.

There might be local policy issues that require a particular ordering,
and it would be good to have the tool be compatible with such policies.

control: severity -1 wishlist
control: tags -1 help

    Philip> Package: libpam-runtime Version: 1.4.0-11ubuntu2.3 Severity:
    Philip> important

    Philip> Dear Maintainer,

    Philip> We were trying to configure PAM authentication to use LDAP,
    Philip> Radius, and local (pam_unix) authentication sources in that
    Philip> order, so we ran "sudo pam-auth-update --enable ldap radius
    Philip> unix".  Alas it's written in the descending priority order
    Philip> coming from the /usr/share/pam-configs/ files.

That's true, and it turns out there are also issues even within a single
profile about whether you want try_first_pass or use_first_pass and some
other local issues involving interactions between ldap and unix.
If you take a look at the bugs open against pam, you see a number of
related issues.

However, this is an enhancement request, not  a bug.
pam-auth-update does not cover your use case, and it's going to be
nontrivial to get that working especially in the debconf interface.
I do not have time to work on that enhancement.

I would be happy to cooperate with someone on a design here and review
patches.  I'd ask though that as part of that process, they examine the
existing bugs related to interactions between pam_ldap and pam_unix and
make sure that we will not have to revisit the design later to
incorporate the other related issues.