Stackable modules and NSS
Joe Lewis
joe at joe-lewis.com
Thu Feb 19 23:43:46 UTC 2004
With pam_ldap being called first in PAM, it should query the pam_ldap
password first. When that fails, the user has either entered the wrong
password or entered the local password.
pam_ldap should never even think about using NSS to verify the password.
That would defeat the purpose of the pam_ldap module. Try putting the
user first, and see if they can log in with both passwords.
Joe
Wayne Gowcher wrote:
> Thanks for the reply Joe.
>
> Sorry I forgot to mention that in my authentication
> scheme, the user is free to set ldap before local or
> local before ldap. So putting files before ldap would
> not work in the case where a user types in the ldap
> password for joe, since NSS would return joe's local
> password.
>
>
>
> --- Joe Lewis <joe at joe-lewis.com> wrote:
>
>>Try putting files before ldap :
>>
>> files ldap
>>
>>And see if that aids you. Of course, they will have
>>the local
>>permisions, but that is kinda what you wanted,
>>right?
>>
>>Joe (the real joe)
>>
>>Wayne Gowcher wrote:
>>
>>
>>>Hi,
>>>
>>>I am implementing an authetication scheme using
>>>stackable modules - in this case pam_unix &
>>
>>pam_ldap.
>>
>>>In most cases everything works fine, but I have
>>
>>one
>>
>>>case ( and maybe some would consider a non valid
>>
>>case
>>
>>>) where authentication fails even though the
>>
>>entered
>>
>>>password was correct. The case is as follows :
>>>
>>>You have a common user - call him joe defined
>>
>>locally
>>
>>>and in the ldap database.
>>>
>>>You set joe's local password to joelocal, and
>>
>>joe's
>>
>>>ldap password to joeldap.
>>>
>>>You set pam_ldap as the first method of
>>
>>authentication
>>
>>>in pam.d/login, and you set ldap as the first Name
>>>Switch Service to be used in etc/nsswitch.conf.
>>>
>>>With the above, when I login as user joe, but with
>>>joe's LOCAL password, authentication FAILS, even
>>>through the password is CORRECT.
>>>
>>>I believe I have traced this failure down to the
>>>following :
>>>
>>>pam_ldap tries to authenticate joe, with username
>>
>>=
>>
>>>joe, and password = joelocal. This of course fails
>>
>>and
>>
>>>so PAM passes authentication to the next level for
>>>pam_unix to have a go.
>>>
>>>pam_unix calls getspnam() and because ldap is set
>>
>>as
>>
>>>the first service in etc/nsswitch.conf :
>>>
>>> ldap files
>>>
>>>nss retrieves joe's ldap password joeldap.
>>
>>pam_unix
>>
>>>uses this passowrd to compare with the joelocal
>>>password the user typed in , and authentication
>>
>>fails.
>>
>>>:(
>>>
>>>I believe this is how it is supposed to work, but
>>
>>what
>>
>>>i am really interested in knowing is, is there
>>
>>anyway
>>
>>>to make nss behave more like PAM ? That is how can
>>
>>I
>>
>>>make nss retrun joe's local password if, joe's
>>
>>ldap
>>
>>>password already failed ?
>>>
>>>One Kludge that I can think of, is to remove the
>>>generic getspnam (getpnam) calls in pam_unix &
>>>pam_ldap and replace them with function such as
>>>getspnam_ldap, getspnam_local etc.
>>>
>>>Any thoughts comments welcome.
>>>
>>>
>>>__________________________________
>>>Do you Yahoo!?
>>>Yahoo! Mail SpamGuard - Read only the mail you
>>
>>want.
>>
>>>http://antispam.yahoo.com/tools
>>>
>>>
>>>_______________________________________________
>>>Pam-list mailing list
>>>Pam-list at redhat.com
>>>https://www.redhat.com/mailman/listinfo/pam-list
>>
>>
>>_______________________________________________
>>Pam-list mailing list
>>Pam-list at redhat.com
>>https://www.redhat.com/mailman/listinfo/pam-list
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail SpamGuard - Read only the mail you want.
> http://antispam.yahoo.com/tools
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list