[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Shadow password & pam_unix_acct.so



Hi!

I have the following problem:

I'm trying to use the pam_ldap.so module whith shadow capabilities. 

In the file /etc/pam.d/login I have:

account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so


this means thet if pam_ldap.so doesn't return SUCCES or PAM_AUTHTOKEN_REQD
then the module pam_unix_acct.so will be used. 

If an account is expired pam_ldap.so returns PAM_ACCT_EXPIRED, and the 
result from pam_unix_acct.so is evaluated.

pam_unix_acct.so uses getsp* to get shadow info: having nss_ldap.so
this information is taken from LDAP + local files.

Anyway this doesn't work, I had to modify the file pam_unix_acct.c
(Linux-PAM-0.72) that in the lines 129-136 states:


   129                  }
   130  
   131          } else if (!strcmp( pwent->pw_passwd, "x" )) {
   132                  spent = getspnam(uname);
   133          } else {
   134                  return PAM_SUCCESS;
   135          }
   136  

into

   129                  }
   130  
   131          } else if (strcmp( pwent->pw_passwd, "x" )) {
   132                  spent = getspnam(uname);
   133          } else {
   134                  return PAM_SUCCESS;
   135          }
   136  

since if the call for getpwent returns an x in the passorwd field I want
to look into the shadow password.

Without this change I was always granted access to shadow users (since
nss_ldap correctly returns an x if the user is in the shadow). With this
modification everything works. Anyway, since I don't know the whole code I
wonder if someone can tell if this is really a bug or my problem is
elsewere.

Thanks,
Giuseppe











[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []