[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sufficient account management checking for locally defined users



>>>>> "Luke" == Luke Howard <lukeh@PADL.COM> writes:

    >> *console* of a machine.  That machine only has pam_ldap
    >> configured for SSH.  The only relevant thing in the
    >> configuration for login is pam_unix.  The login took 30 seconds
    >> while LDAP timed out.

    Luke> These timelimits are configurable in ldap.conf, but
    Luke> different LDAP client libraries honour these to different
    Luke> degrees.

True.  However, I should have re-cited something I wrote further back
in the thread:

    Martin> The reason I want to do this is that I don't want pam_ldap
    Martin> to be used at all when my locally defined users are
    Martin> logging in.  I see this as a sensible policy that promotes
    Martin> reliabily.  For example, I will always be able to login as
    Martin> root, without delay, even if my network is down, pam_ldap
    Martin> is broken or, worse still, if there's a bug in libdap*
    Martin> that causes a SIGSEGV.  I don't want to run code that is
    Martin> irrelevant to my locally defined users, particularly root.

I suspect that no matter what the timeouts are set to, a serious bug
in libldap* will mean that they won't be honoured at all...  :-(

Hmmm, I suppose login probably crashes very quickly...  :-)

In a previous reply to Sam I commented that we're getting close to a
solution.  Given pam_unix's reliance on NSS (and therefore, in my
case, on LDAP) for (building the group list for) locally defined
users, I no longer think this is true.  pam_unix is too general to be
useful for being able to reliably login as my locally defined users,
particularly root.

If I implement a local_only option on pam_unix might it be accepted
into pam_unix?  Please?  Andrew?

peace & happiness,
martin





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []