On 07/26/11 10:10, Frank Van Damme wrote:
Op 26-07-11 02:34, Gary Algier schreef:
On Jul 25, 2011, at 17:24, Tim Nowaczyk<tan7f@xxxxxxxxxxxx> wrote:
On Jul 25, 2011, at 5:04 PM, Frank Van Damme wrote:
So they each use their own methods like grepping /etc/passwd, doing
ldap lookups, or whatever it takes to come up with a shell - like
"nothing" in the case of obscure authentication methods that the
application happens to know nothing about?
This is out of scope for the pam list, but you should know that you can simply call getpwnam so you don't have to grep /etc/passwd. Many large installations don't even have most of their users in /etc/passwd, but use NIS or LDAP instead. getpwnam uses NSS to get all the users/passwords/groups. Your initial feature request might be able to be implemented by writing a custom NSS module. 
Actually this is already handled in most NIS and some LDAP Implementations using a syntax like:
+@group::::::/bin/myshell (I may be off on the number of colons).
in the /etc/passwd file. Read the docs for your platform's passwd
file syntax and the nsswitch.conf file. Solaris can do this, your
mileage may vary.
Fat fingered from my iPad -- miscorrections happen.
Oh, so it's nss providing that info. You got the number of colons
right, by the way - the syntax details about /etc/passwd can be found in
nsswitch.conf's man page (...).
So for the googler: specify "compat" as a service to "passwd" in
/etc/nsswitch.conf, and "ldap" as a service to "passwd_compat".
I set it up now with passwd/group/shadow_compat set to "ldap" and
putting a plus in /etc/passwd works, +user works, but +@groupname does
not. I don't get the group's members as output in "getent passwd", even
if the group is a local group.
The groups need to be defined as _netgroups_, not posix groups. Yet another
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
Pam-list mailing list