Re: Stackable modules and NSS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wayne,


On Thu, 19 Feb 2004, Wayne Gowcher wrote:

[snip...]

|> The key point I have noted here is that getpnam /
|> getspnam looks up a password according to user name.
|> In my case user joe exists in both the local database
|> and in the ldap database, BUT ( rightly or wrongly )
|> has DIFFERENT passwords. Nss doesn't know joe has
|> different passwords, all it knows is that every time
|> someone calls it asking for user joe's password, nss
|> looks up the user in it's databases according to the
|> order set in nsswitch.conf. So in this case, Nss will
|> always choose the first ( _nss_ldap_getpnam ) and so
|> when pam unix tries to verify the password returned by
|> getpnam against what the user typed in, it will always
|> fail.

But what is the proper behaviour for NSS when a particular
module fails?  Is it really supposed to return a failure
status for the entire "stack," or is it supposed to try
the next module if the previous one failed?

It would seem logical for NSS to try the next module (assuming
one exists inside nsswitch.conf).

If I had to take a stab at it, I would put the following
inside of nsswitch.conf:
 passwd: files [!SUCCESS=continue] ldap
 shadow: files [!SUCCESS=continue] ldap


Does that make sense?


HTW (Hope That Works),
Michael


|> _______________________________________________
|> 
|> Pam-list@xxxxxxxxxx
|> https://www.redhat.com/mailman/listinfo/pam-list



_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux