Giuseppe Lo Biondo wrote:
>
> Hi!
>
> I have the following problem:
>
> I'm trying to use the pam_ldap.so module whith shadow capabilities.
>
> In the file /etc/pam.d/login I have:
>
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_unix_acct.so
>
> this means thet if pam_ldap.so doesn't return SUCCES or PAM_AUTHTOKEN_REQD
> then the module pam_unix_acct.so will be used.
>
> If an account is expired pam_ldap.so returns PAM_ACCT_EXPIRED, and the
> result from pam_unix_acct.so is evaluated.
>
> pam_unix_acct.so uses getsp* to get shadow info: having nss_ldap.so
> this information is taken from LDAP + local files.
>
> Anyway this doesn't work, I had to modify the file pam_unix_acct.c
> (Linux-PAM-0.72) that in the lines 129-136 states:
>
> 129 }
> 130
> 131 } else if (!strcmp( pwent->pw_passwd, "x" )) {
> 132 spent = getspnam(uname);
> 133 } else {
> 134 return PAM_SUCCESS;
> 135 }
> 136
>
> into
>
> 129 }
> 130
> 131 } else if (strcmp( pwent->pw_passwd, "x" )) {
> 132 spent = getspnam(uname);
> 133 } else {
> 134 return PAM_SUCCESS;
> 135 }
> 136
>
> since if the call for getpwent returns an x in the passorwd field I want
> to look into the shadow password.
Ok, so you tried to change this to opposite. What's been there was right,
what's you changed was wrong. If pw_passwd field have "x" value, strcmp will
return 0, and your modified pam_unix will try to access shadow only if that
field's value is _not_ "x".
> Without this change I was always granted access to shadow users (since
> nss_ldap correctly returns an x if the user is in the shadow). With this
> modification everything works. Anyway, since I don't know the whole code I
> wonder if someone can tell if this is really a bug or my problem is
> elsewere.
If nss_ldap returns "x" in case of shadowing password (I don't know how
things implemeted in ldap; f.e. in nis+, there is only one table
that holds all user's information, there is no "shadow" at all, but
it works with getpwnam() _and_ getspnam() returning just different
columns in each case), then things should just work out of the box.
I have no idea why it doesn't works.
Ok, some thoughts around.
o If you have correctly working (read: compatible with traditional
getspent/getpwent) nss_ldap, you does not need pam_ldap module
in acct/auth/session stack at all, pam_unix should do the work
just fine by itself.
o Question for pam library gurus (Andrew?): how sufficient/required
handled in case module returns conditions like
PAM_NEW_AUTHTOK_REQD, PAM_ACCOUNT_EXPIRED, PAM_INCOMPLETE?
Example given above -- stacking pam_ldap with `sufficient' flag
and pam_unix with `required'. If first returns EXPIRED, and
second returns some error (e.g. if shadow entry unavailable to
pam_unix (if nss_ldap does not return it -- just a hypotetical
case), but it is available to pam_ldap) -- in this case,
pam should probably ignore return value of pam_unix and should
return EXPIRED to app from pam_ldap...
I ask this with my own work in mind -- probably pam_unix should
return PAM_IGNORE in this case, and for this there should be a
flag for it to do so.
o Maybe problem with this particular case is exactly in previous
statement? What's happened if _both_ modules returns
PAM_ACCT_EXPIRED?
Regards,
Michael.
