On Thu, 29 May 2003, Jason Clifford wrote: |> On Thu, 29 May 2003, Florian Verdet wrote: |> |> > I'm extending the pam_mysql module and want to fetch HOME and SHELL from a |> > MySQL db and pass them to the PAM application (login, ssh,...) to use them |> > accordingly. |> |> Why do it from PAM? It's not the right place. You want a plug in to the |> NSS system calls (particularly for those to passwd, shadow and group)that |> will allow you to use a mysql database instead of flat files for them. |> |> There already is one available and it is VERY good. It's called nss_mysql |> and you can find all the details here - |> http://savannah.nongnu.org/projects/nss-mysql |> |> You can still use PAM for authentication with it however all getpw* and |> getgr* calls will be served according you the settings in your |> /etc/nsswitch.conf file (where you configure the system to use mysql for |> those lookups). That's exactly how I have my test configuration set up. So far, it works fine -- PAM handles all of the authentication, and nss-mysql handles all of the account-information lookup. Beware of DEBUG mode in nss-mysql, though, since I noticed an extreme slowdown of almost operation. Otherwise, the combination is fine. You *could* use PAM to determine other, custom things (like checking for the value of a custom field in a database table) that would not be appropriate in nss-mysql. I hacked pam_mysql a bit to do stuff like that, and the functions get called from inside pam_sm_acct_mgmt() and whatnot. But playing with environment variables is not the most reliable way of passing info along to the calling application, unless you know for sure that the caller is not going to erase/overwrite the env variables tha you set from within your PAM functions. My 8 cents, Michael -- /* BEGIN SIG * * "Afraid of change, afraid of staying the same, * when temptation calls, we just look away." * - Barenaked Ladies * * "He started writing in mirror writing, 'Help! I'm * trapped behind the world.'" * - New York State Journal of Medicine * *----------------------------- * Michael Chang * miranda@xxxxxxxxxx * http://www.syndetic.org/ */ _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
