>>>>> "Sam" == Sam Hartman <hartmans@mit.edu> writes:
>>>>> "Martin" == Martin Schwenke <martin@meltin.net> writes:
Sam> And here's where I think is the fundamentall disagreement we
Sam> have. I'd rather see minimum code duplication and PAM
Sam> modules that do one job well rather than having too much
Sam> functionality added. Since the function of standard unix
Sam> checks and checking for local users can be cleanly split,
Sam> they should be split into two modules. I believe it is
Sam> simpler code flow, easier to debug and more flexible.
I think you're advocating easy of development over the sysadmin's
right to decide and implement policy. Policy should be in the hands
of the sysadmin.
Sam> P.S. You're doomed on the whole not dependening on network
Sam> front if nss_ldap appears anywhere in your group nsswitch
Sam> configuration.
Martin> [...] The only LDAP traffic I see when I try to login as
Martin> root looks to be generated by pam_unix! :-(
Sam> The problem happens with the initgroups call. I need to
Sam> enumerate the list of all groups in order to determine what
Sam> suplimental groups you are in. The NSS interface in libc
Sam> simply isn't well thought out enough to allow for anything
Sam> else.
Exactly!
As a nice coincidence one of the guys was just trying to login on the
*console* of a machine. That machine only has pam_ldap configured for
SSH. The only relevant thing in the configuration for login is
pam_unix. The login took 30 seconds while LDAP timed out.
Anton could have saved the world in that 30 seconds! He could have
compiled 4 Linux kernels! :-)
Now if only I had a local files module or I could set an option to
tell pam_unix to only look in local files...
peace & happiness,
martin
