Wayne, On Thu, 19 Feb 2004, Wayne Gowcher wrote: [snip...] |> The key point I have noted here is that getpnam / |> getspnam looks up a password according to user name. |> In my case user joe exists in both the local database |> and in the ldap database, BUT ( rightly or wrongly ) |> has DIFFERENT passwords. Nss doesn't know joe has |> different passwords, all it knows is that every time |> someone calls it asking for user joe's password, nss |> looks up the user in it's databases according to the |> order set in nsswitch.conf. So in this case, Nss will |> always choose the first ( _nss_ldap_getpnam ) and so |> when pam unix tries to verify the password returned by |> getpnam against what the user typed in, it will always |> fail. But what is the proper behaviour for NSS when a particular module fails? Is it really supposed to return a failure status for the entire "stack," or is it supposed to try the next module if the previous one failed? It would seem logical for NSS to try the next module (assuming one exists inside nsswitch.conf). If I had to take a stab at it, I would put the following inside of nsswitch.conf: passwd: files [!SUCCESS=continue] ldap shadow: files [!SUCCESS=continue] ldap Does that make sense? HTW (Hope That Works), Michael |> _______________________________________________ |> |> Pam-list@xxxxxxxxxx |> https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
