Re: Stackable modules and NSS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Try putting files before ldap :

files ldap

And see if that aids you. Of course, they will have the local permisions, but that is kinda what you wanted, right?

Joe (the real joe)

Wayne Gowcher wrote:

Hi,

I am implementing an authetication scheme using
stackable modules - in this case pam_unix & pam_ldap.
In most cases everything works fine, but I have one
case ( and maybe some would consider a non valid case
) where authentication fails even though the entered
password was correct. The case is as follows :

You have a common user - call him joe defined locally
and in the ldap database.

You set joe's local password to joelocal, and joe's
ldap password to joeldap.

You set pam_ldap as the first method of authentication
in pam.d/login, and you set ldap as the first Name
Switch Service to be used in etc/nsswitch.conf.

With the above, when I login as user joe, but with
joe's LOCAL password, authentication FAILS, even
through the password is CORRECT.

I believe I have traced this failure down to the
following :

pam_ldap tries to authenticate joe, with username =
joe, and password = joelocal. This of course fails and
so PAM passes authentication to the next level for
pam_unix to have a go.

pam_unix calls getspnam() and because ldap is set as
the first service in etc/nsswitch.conf :

ldap files

nss retrieves joe's ldap password joeldap. pam_unix
uses this passowrd to compare with the joelocal
password the user typed in , and authentication fails.
:(

I believe this is how it is supposed to work, but what
i am really interested in knowing is, is there anyway
to make nss behave more like PAM ? That is how can I
make nss retrun joe's local password if, joe's ldap
password already failed ?

One Kludge that I can think of, is to remove the
generic getspnam (getpnam) calls in pam_unix &
pam_ldap and replace them with function such as getspnam_ldap, getspnam_local etc.

Any thoughts comments welcome.


__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list



_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux