files ldap
And see if that aids you. Of course, they will have the local permisions, but that is kinda what you wanted, right?
Joe (the real joe)
Wayne Gowcher wrote:
Hi,
I am implementing an authetication scheme using stackable modules - in this case pam_unix & pam_ldap. In most cases everything works fine, but I have one case ( and maybe some would consider a non valid case ) where authentication fails even though the entered password was correct. The case is as follows :
You have a common user - call him joe defined locally and in the ldap database.
You set joe's local password to joelocal, and joe's ldap password to joeldap.
You set pam_ldap as the first method of authentication in pam.d/login, and you set ldap as the first Name Switch Service to be used in etc/nsswitch.conf.
With the above, when I login as user joe, but with joe's LOCAL password, authentication FAILS, even through the password is CORRECT.
I believe I have traced this failure down to the following :
pam_ldap tries to authenticate joe, with username = joe, and password = joelocal. This of course fails and so PAM passes authentication to the next level for pam_unix to have a go.
pam_unix calls getspnam() and because ldap is set as the first service in etc/nsswitch.conf :
ldap files
nss retrieves joe's ldap password joeldap. pam_unix uses this passowrd to compare with the joelocal password the user typed in , and authentication fails. :(
I believe this is how it is supposed to work, but what i am really interested in knowing is, is there anyway to make nss behave more like PAM ? That is how can I make nss retrun joe's local password if, joe's ldap password already failed ?
One Kludge that I can think of, is to remove the
generic getspnam (getpnam) calls in pam_unix &
pam_ldap and replace them with function such as getspnam_ldap, getspnam_local etc.
Any thoughts comments welcome.
__________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list