--YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 14, 2002 at 11:17:10AM +1000, Martin Schwenke wrote: > The NSS module in question (nss_ldap) isn't messed up. As Sam already > posted, to find out what supplementary groups a user is in, you need > to retrieve all groups that NSS knows about, which implicitly includes > the LDAP ones (if that's what nsswitch.conf says to do). To avoid > doing that for a locally defined user, you would need to look in only > the local files, which is part of what I'm advocating. And you absolutely cannot control that using PAM. > Now for the bad news: initgroups() is called from the application > (login/sshd) and not from PAM. Now that's pretty crappy, because it > means it can't be configured per application: I can't tell login to > only look at local users... Exactly. The only way to do what you're asking for is by implementing=20 it in libc (NSS), not in libpam. > As far as I'm concerned the initgroups() call should happen in PAM so > that a different implementation can be substituted. That's what the > 'P' in "PAM" is all about. The current design is broken. I don't > think I stand a strong chance of having that design changed, > reimplemented and accepted upstream (even though I'm willing to do > great chunks of it myself), so it's time to give up (or rely on an > LD_PRELOAD hack to get to my root account... ummm... no! :-) And the 'A' and the 'M' say 'authentication modules', which succinctly defines the scope of PAM. Retrieving group lists is not an authentication problem. > Steve> If what you're really after is making sure pam_unix is not > Steve> used for authenticating LDAP-based accounts when the server > Steve> /is/ available, then between nss_ldap and the LDAP server > Steve> you already have all the access controls you need to make > Steve> sure password hashes are never sent in the clear across the > Steve> network. > No, I want to make sure that pam_ldap is not used for authenticating > non-LDAP-based accounts! Easily done: auth sufficient pam_unix.so auth required pam_ldap.so use_first_pass -- and that's it. If the account is local, pam_ldap will never be invoked with the above configuration. Likewise, list 'files' before 'ldap' in nsswitch.conf, to give optimal lookup times for getpwnam()/getgrgid() calls on local accounts. The one slowdown will be with initgroups() (yes, I meant initgroups() earlier, not getgroups()). There's no way around that; you can lower your timeouts in nss_ldap, or you can modify your login app to not call initgroups(). Those are your only two options, unless you do choose to modify the PAM API; and there would have to be a very good reason for Linux-PAM to break compatibility with other PAM implementations. Steve Langasek postmodern programmer --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE84HYQKN6ufymYLloRAjmfAKCA1cEzkvwpRmuvybyBo6Vd6sfUlwCfdVBh vWEDLJsPHRTPUwP1TS/yK2Y= =uavw -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4--
