[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sufficient account management checking for locally defined users



>>>>> "Steve" == Steve Langasek <vorlon@netexpress.net> writes:

    >> However, I started this thread using almost exactly the same
    >> example, except for account modules.  That doesn't work...  :-(

    Steve> IIRC, pam_ldap should not be invoked in the above for any
    Steve> accounts that successfully authenticate using pam_unix.  At
    Steve> the very least, Linux-PAM makes it possible to ensure
    Steve> pam_ldap is not invoked, via its extended configuration
    Steve> syntax.

    Steve> auth  [success=done default=ignore] pam_unix.so
    Steve> auth  required                      pam_ldap.so use_first_pass

    Steve> This guarantees that pam_ldap will not be invoked if
    Steve> pam_unix succeeds.

I know I'm getting boring, but:

  However, I started this thread using almost exactly the same
  example, except for *account* modules.  That doesn't work...  :-(

That is s/auth/account/ and it doesn't work.

    Steve> The one slowdown will be with initgroups() (yes, I meant
    Steve> initgroups() earlier, not getgroups()).  There's no way
    Steve> around that; you can lower your timeouts in nss_ldap, or
    Steve> you can modify your login app to not call initgroups().

There is a slowdown if you use pam_unix_account, because it does its
account checking via NSS.  What's worse, if you are a remotely defined
user (for example, in an LDAP directory), when it finds you (via NSS)
it will probably succeed and following modules will not be invoked (if
you use sufficient or [success=done]).  

Before I understood the initgroups() problem, this was my major
complaint... 

peace & happiness,
martin





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []