From 908495f6833d66bcdd3736950aff5931184ed67b Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 10 Sep 2019 17:11:47 +0200
Subject: [pam-slx-plug] Change order in common-account: Move pam_unix before
 us

Our script does make round trips to LDAP under certain conditions which
is slow, so try pam_unix first.
---
 .../pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config b/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config
index a4daa837..18936603 100755
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config
@@ -69,14 +69,14 @@ write_sssd_config() {
 	return 0 # OK
 }
 
-# Our plugin, but account ONLY since it's fast
-account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/pam/exec_account")
-
 # unix
 auth+=("[success=%NUM% default=ignore] pam_unix.so nodelay")
 account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_unix.so")
 nss+=("files" "cache")
 
+# Our plugin, but account ONLY since it's fast (it's not if not executed in root context so move after unix)
+account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/pam/exec_account")
+
 # check for bwIDM
 if [ -x "/opt/openslx/scripts/pam_bwidm" ]; then
 	auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm")
-- 
cgit v1.2.3-55-g7522