Re: PAM modules violating PAM architecture?, e.g. mod_auth_pam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 02:28 PM 10/6/2004, Tony den Haan wrote:
On Wednesday 06 October 2004 20:44, Jed Donnelley wrote:

> As I understand the PAM architecture (as on the diagram above) this should
> work to use with apache authentication being forwarded to LDAP.  However, I
> found that
> I needed to include:
>
> passwd:    files ldap
> group:       files ldap
>
> in my /etc/nsswitch.conf file to get it to function.  This meant I couldn't
> use it in my system as it forced all sorts of LDAP users and groups to
> be on the system (e.g. for login, file access, etc., etc.) that should not
> be on the system.

nopes,

?

you need nss_ldap for that, which comes from the same padl.com
people who wrote pam_ldap.

Correct, but of course I have nss_ldap functioning and I need to do so if those calls to getpwnam and getgrnam are going to function for the users and groups that are only visible through LDAP.

The bottom line is the way mod_auth_pam is coded, getpwnam and
getrgnam must function for the users/groups that I want to authenticate
from apache with mod_auth_pam.  For those functions to work for those
users/groups the users/groups must appear as if they are in
/etc/passwd and /etc/group - e.g. by use of lib_nss and nss_ldap.

--Jed http://www.nersc.gov/~jed/

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux