Deprecating pam_stack.so
Lamont R. Peterson
lamont at gurulabs.com
Wed Oct 12 00:39:47 UTC 2005
On Tuesday 11 October 2005 06:06pm, Bernardo Innocenti wrote:
> Tomas Mraz wrote:
> > Linux-PAM 0.78 and later contains include directive which obsoletes
> > using the pam_stack module. This module is rather a hack as it requires
> > access to pam library internals for its operation and will never be
> > accepted to upstream.
>
> Thank you. Simplifying PAM configuration was badly needed.
>
> I have a few wishlist entries to submit, if you have time to
> consider them:
>
> - For some reason, pam_ldap interacts strangely with pam_unix.
> Even tough pam_unix comes before it and is "sufficient",
Not sure how to explain that.
> nobody can login when the network is down or slapd is down.
That is normal...unless you have configured your systems to cache
authentication credentials locally so that they can authenticate
disconnected.
> Also, you can login as root with root's password from ldap
> even tough there's a valid root entry in /etc/passwd.
Yup. That's normal, because, when the pam_unix.so check for root fails, the
"sufficient" line will not affect the overall outcome of the authentication
attempt, then PAM moves on to the next line and succeeds with the sufficient
pam_ldap.so line.
This is part of the reason why having root credentials in your central
authentication store is a BIG NO-NO. You should *only* have root credentials
locally on each machine.
[SNIP]
--
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20051011/3753e302/attachment.sig>
More information about the fedora-devel-list
mailing list