>>>>> "Martin" == Martin Schwenke <martin@meltin.net> writes:
Sam> Why not split these two distinct checks into two modules.
Sam> Have pam_unix do the checks for pam_unix. Then have another
Sam> module that determines whether you want to bypass
Sam> network-based checks for the current user.
Martin> That's what I'm doing right now. It contorts the logic
Martin> and introduces an unnecessary inefficiency.
And here's where I think is the fundamentall disagreement we have.
I'd rather see minimum code duplication and PAM modules that do one
job well rather than having too much functionality added. Since the
function of standard unix checks and checking for local users can be
cleanly split, they should be split into two modules. I believe it is
simpler code flow, easier to debug and more flexible.
Sam> P.S. You're doomed on the whole not dependening on network
Sam> front if nss_ldap appears anywhere in your group nsswitch
Sam> configuration.
Martin> "getent passwd root", "getent group root" and "ls -l
Martin> /root" don't generate any LDAP traffic. If they did, I'd
Martin> argue that NSS is broken. The only LDAP traffic I see
Martin> when I try to login as root looks to be generated by
Martin> pam_unix! :-(
The problem happens with the initgroups call. I need to enumerate the
list of all groups in order to determine what suplimental groups you
are in. The NSS interface in libc simply isn't well thought out
enough to allow for anything else.
