>>>>> "Sam" == Sam Hartman <hartmans@mit.edu> writes: >>>>> "Martin" == Martin Schwenke <martin@meltin.net> writes: Sam> And here's where I think is the fundamentall disagreement we Sam> have. I'd rather see minimum code duplication and PAM Sam> modules that do one job well rather than having too much Sam> functionality added. Since the function of standard unix Sam> checks and checking for local users can be cleanly split, Sam> they should be split into two modules. I believe it is Sam> simpler code flow, easier to debug and more flexible. I think you're advocating easy of development over the sysadmin's right to decide and implement policy. Policy should be in the hands of the sysadmin. Sam> P.S. You're doomed on the whole not dependening on network Sam> front if nss_ldap appears anywhere in your group nsswitch Sam> configuration. Martin> [...] The only LDAP traffic I see when I try to login as Martin> root looks to be generated by pam_unix! :-( Sam> The problem happens with the initgroups call. I need to Sam> enumerate the list of all groups in order to determine what Sam> suplimental groups you are in. The NSS interface in libc Sam> simply isn't well thought out enough to allow for anything Sam> else. Exactly! As a nice coincidence one of the guys was just trying to login on the *console* of a machine. That machine only has pam_ldap configured for SSH. The only relevant thing in the configuration for login is pam_unix. The login took 30 seconds while LDAP timed out. Anton could have saved the world in that 30 seconds! He could have compiled 4 Linux kernels! :-) Now if only I had a local files module or I could set an option to tell pam_unix to only look in local files... peace & happiness, martin