Hi, I am implementing an authetication scheme using stackable modules - in this case pam_unix & pam_ldap. In most cases everything works fine, but I have one case ( and maybe some would consider a non valid case ) where authentication fails even though the entered password was correct. The case is as follows : You have a common user - call him joe defined locally and in the ldap database. You set joe's local password to joelocal, and joe's ldap password to joeldap. You set pam_ldap as the first method of authentication in pam.d/login, and you set ldap as the first Name Switch Service to be used in etc/nsswitch.conf. With the above, when I login as user joe, but with joe's LOCAL password, authentication FAILS, even through the password is CORRECT. I believe I have traced this failure down to the following : pam_ldap tries to authenticate joe, with username = joe, and password = joelocal. This of course fails and so PAM passes authentication to the next level for pam_unix to have a go. pam_unix calls getspnam() and because ldap is set as the first service in etc/nsswitch.conf : ldap files nss retrieves joe's ldap password joeldap. pam_unix uses this passowrd to compare with the joelocal password the user typed in , and authentication fails. :( I believe this is how it is supposed to work, but what i am really interested in knowing is, is there anyway to make nss behave more like PAM ? That is how can I make nss retrun joe's local password if, joe's ldap password already failed ? One Kludge that I can think of, is to remove the generic getspnam (getpnam) calls in pam_unix & pam_ldap and replace them with function such as getspnam_ldap, getspnam_local etc. Any thoughts comments welcome. __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
