>I believe that you want to put the name of your non local-user into >PAM_USER. Your application needs to avoid using this username for any >getpw* calls (unless it can resolve the mapping of this user to some >uid). What about FreeBSD's support for template users? This I believe was designed for this exact problem (many users in RADIUS, one template account in /etc/passwd). Their trick is to refetch PAM_USER after calling pam_authenticate(), resetting the appliation's idea of the user's identity. Although I haven't tested it (!), there's support for this in pam_ldap: you can assign one attribute for the login name (like userPrincipalName, so the user can login with "lukeh@padl.com") and another attribute (like uid) to the actual account. Or, the account can be specified gloablly. -- Luke -- Luke Howard | Darwin Developer | PADL Software Pty Ltd www.padl.com | lukeh@darwin.apple.com | lukeh@padl.com
