Stackable modules and NSS
Wayne Gowcher
wgowcher at yahoo.com
Thu Feb 19 22:55:38 UTC 2004
Hi,
I am implementing an authetication scheme using
stackable modules - in this case pam_unix & pam_ldap.
In most cases everything works fine, but I have one
case ( and maybe some would consider a non valid case
) where authentication fails even though the entered
password was correct. The case is as follows :
You have a common user - call him joe defined locally
and in the ldap database.
You set joe's local password to joelocal, and joe's
ldap password to joeldap.
You set pam_ldap as the first method of authentication
in pam.d/login, and you set ldap as the first Name
Switch Service to be used in etc/nsswitch.conf.
With the above, when I login as user joe, but with
joe's LOCAL password, authentication FAILS, even
through the password is CORRECT.
I believe I have traced this failure down to the
following :
pam_ldap tries to authenticate joe, with username =
joe, and password = joelocal. This of course fails and
so PAM passes authentication to the next level for
pam_unix to have a go.
pam_unix calls getspnam() and because ldap is set as
the first service in etc/nsswitch.conf :
ldap files
nss retrieves joe's ldap password joeldap. pam_unix
uses this passowrd to compare with the joelocal
password the user typed in , and authentication fails.
:(
I believe this is how it is supposed to work, but what
i am really interested in knowing is, is there anyway
to make nss behave more like PAM ? That is how can I
make nss retrun joe's local password if, joe's ldap
password already failed ?
One Kludge that I can think of, is to remove the
generic getspnam (getpnam) calls in pam_unix &
pam_ldap and replace them with function such as
getspnam_ldap, getspnam_local etc.
Any thoughts comments welcome.
__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools
More information about the Pam-list
mailing list