Stackable modules and NSS
Wayne Gowcher
wgowcher at yahoo.com
Fri Feb 20 03:46:06 UTC 2004
> With pam_ldap being called first in PAM, it should
> query the pam_ldap
The scheme I am trying to set up is one in which the
user can set any order of authentication modules. So I
can't guarantee pam_ldap being first.
>From my inspection of pam_unix and pam_ldap, I see
both modules calling getpnam or getspnam according to
the type of encryption of the password.
getpnam / getspnam are "gate functions" for whichever
Name Switch Service function has been selected, for
example :
when I set nsswitch.conf to
passwd: ldap files
It is equivalent to :
getpnam -> _nss_ldap_getpnam
-> getpnam ( glibc provided )
But if I set nsswitch.conf to
passwd: files ldap
It is equivalent to
getpnam -> getpnam ( glibc provided )
-> _nss_ldap_getpnam
The key point I have noted here is that getpnam /
getspnam looks up a password according to user name.
In my case user joe exists in both the local database
and in the ldap database, BUT ( rightly or wrongly )
has DIFFERENT passwords. Nss doesn't know joe has
different passwords, all it knows is that every time
someone calls it asking for user joe's password, nss
looks up the user in it's databases according to the
order set in nsswitch.conf. So in this case, Nss will
always choose the first ( _nss_ldap_getpnam ) and so
when pam unix tries to verify the password returned by
getpnam against what the user typed in, it will always
fail.
Which is back to my original posting. Does anyone know
a way around this ?
__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools
More information about the Pam-list
mailing list