pam_ldap should never even think about using NSS to verify the password. That would defeat the purpose of the pam_ldap module. Try putting the user first, and see if they can log in with both passwords.
Joe
Wayne Gowcher wrote:
Thanks for the reply Joe.
Sorry I forgot to mention that in my authentication scheme, the user is free to set ldap before local or local before ldap. So putting files before ldap would not work in the case where a user types in the ldap password for joe, since NSS would return joe's local password.
--- Joe Lewis <joe@xxxxxxxxxxxxx> wrote:
Try putting files before ldap :
files ldap
And see if that aids you. Of course, they will have
the local permisions, but that is kinda what you wanted,
right?
Joe (the real joe)
Wayne Gowcher wrote:
Hi,
I am implementing an authetication scheme using stackable modules - in this case pam_unix &
pam_ldap.
In most cases everything works fine, but I have
one
case ( and maybe some would consider a non valid
case
) where authentication fails even though the
entered
password was correct. The case is as follows :
You have a common user - call him joe defined
locally
and in the ldap database.
You set joe's local password to joelocal, and
joe's
ldap password to joeldap.
You set pam_ldap as the first method of
authentication
in pam.d/login, and you set ldap as the first Name Switch Service to be used in etc/nsswitch.conf.
With the above, when I login as user joe, but with joe's LOCAL password, authentication FAILS, even through the password is CORRECT.
I believe I have traced this failure down to the following :
pam_ldap tries to authenticate joe, with username
=
joe, and password = joelocal. This of course fails
and
so PAM passes authentication to the next level for pam_unix to have a go.
pam_unix calls getspnam() and because ldap is set
as
the first service in etc/nsswitch.conf :
ldap files
nss retrieves joe's ldap password joeldap.
pam_unix
uses this passowrd to compare with the joelocal password the user typed in , and authentication
fails.
:(
I believe this is how it is supposed to work, but
what
i am really interested in knowing is, is there
anyway
to make nss behave more like PAM ? That is how can
I
make nss retrun joe's local password if, joe's
ldap
password already failed ?
One Kludge that I can think of, is to remove the
generic getspnam (getpnam) calls in pam_unix &
pam_ldap and replace them with function such as getspnam_ldap, getspnam_local etc.
Any thoughts comments welcome.
__________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you
want.
http://antispam.yahoo.com/tools
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
__________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
