Hi!
I have the following problem:
I'm trying to use the pam_ldap.so module whith shadow capabilities.
In the file /etc/pam.d/login I have:
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
this means thet if pam_ldap.so doesn't return SUCCES or PAM_AUTHTOKEN_REQD
then the module pam_unix_acct.so will be used.
If an account is expired pam_ldap.so returns PAM_ACCT_EXPIRED, and the
result from pam_unix_acct.so is evaluated.
pam_unix_acct.so uses getsp* to get shadow info: having nss_ldap.so
this information is taken from LDAP + local files.
Anyway this doesn't work, I had to modify the file pam_unix_acct.c
(Linux-PAM-0.72) that in the lines 129-136 states:
129 }
130
131 } else if (!strcmp( pwent->pw_passwd, "x" )) {
132 spent = getspnam(uname);
133 } else {
134 return PAM_SUCCESS;
135 }
136
into
129 }
130
131 } else if (strcmp( pwent->pw_passwd, "x" )) {
132 spent = getspnam(uname);
133 } else {
134 return PAM_SUCCESS;
135 }
136
since if the call for getpwent returns an x in the passorwd field I want
to look into the shadow password.
Without this change I was always granted access to shadow users (since
nss_ldap correctly returns an x if the user is in the shadow). With this
modification everything works. Anyway, since I don't know the whole code I
wonder if someone can tell if this is really a bug or my problem is
elsewere.
Thanks,
Giuseppe
