Stackable modules and NSS

[Wayne Gowcher]

> With pam_ldap being called first in PAM, it should
> query the pam_ldap 

The scheme I am trying to set up is one in which the
user can set any order of authentication modules. So I
can't guarantee pam_ldap being first.

>From my inspection of pam_unix and pam_ldap, I see
both modules calling getpnam or getspnam according to
the type of encryption of the password.

getpnam / getspnam are "gate functions" for whichever
Name Switch Service function has been selected, for
example :

when I set nsswitch.conf to 

passwd: ldap files

It is equivalent to :

getpnam  -> _nss_ldap_getpnam
         -> getpnam ( glibc provided )

But if I set nsswitch.conf to

passwd: files ldap

It is equivalent to 

getpnam  -> getpnam ( glibc provided )
         -> _nss_ldap_getpnam

The key point I have noted here is that getpnam /
getspnam looks up a password according to user name.
In my case user joe exists in both the local database
and in the ldap database, BUT ( rightly or wrongly )
has DIFFERENT passwords. Nss doesn't know joe has
different passwords, all it knows is that every time
someone calls it asking for user joe's password, nss
looks up the user in it's databases according to the
order set in nsswitch.conf. So in this case, Nss will
always choose the first ( _nss_ldap_getpnam ) and so
when pam unix tries to verify the password returned by
getpnam against what the user typed in, it will always
fail.

Which is back to my original posting. Does anyone know
a way around this ?



__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools