Stackable modules and NSS

Wayne Gowcher wgowcher at yahoo.com
Thu Feb 19 23:21:18 UTC 2004 

Thanks for the reply Joe.

Sorry I forgot to mention that in my authentication
scheme, the user is free to set ldap before local or
local before ldap. So putting files before ldap would
not work in the case where a user types in the ldap
password for joe, since NSS would return joe's local
password.



--- Joe Lewis <joe at joe-lewis.com> wrote:
> Try putting files before ldap :
> 
>    files ldap
> 
> And see if that aids you.  Of course, they will have
> the local 
> permisions, but that is kinda what you wanted,
> right?
> 
> Joe (the real joe)
> 
> Wayne Gowcher wrote:
> 
> > Hi,
> > 
> > I am implementing an authetication scheme using
> > stackable modules - in this case pam_unix &
> pam_ldap.
> > In most cases everything works fine, but I have
> one
> > case ( and maybe some would consider a non valid
> case
> > ) where authentication fails even though the
> entered
> > password was correct. The case is as follows :
> > 
> > You have a common user - call him joe defined
> locally
> > and in the ldap database.
> > 
> > You set joe's local password to joelocal, and
> joe's
> > ldap password to joeldap.
> > 
> > You set pam_ldap as the first method of
> authentication
> > in pam.d/login, and you set ldap as the first Name
> > Switch Service to be used in etc/nsswitch.conf.
> > 
> > With the above, when I login as user joe, but with
> > joe's LOCAL password, authentication FAILS, even
> > through the password is CORRECT.
> > 
> > I believe I have traced this failure down to the
> > following :
> > 
> > pam_ldap tries to authenticate joe, with username
> =
> > joe, and password = joelocal. This of course fails
> and
> > so PAM passes authentication to the next level for
> > pam_unix to have a go.
> > 
> > pam_unix calls getspnam() and because ldap is set
> as
> > the first service in etc/nsswitch.conf :
> > 
> >    ldap files
> > 
> > nss retrieves joe's ldap password joeldap.
> pam_unix
> > uses this passowrd to compare with the joelocal
> > password the user typed in , and authentication
> fails.
> > :(
> > 
> > I believe this is how it is supposed to work, but
> what
> > i am really interested in knowing is, is there
> anyway
> > to make nss behave more like PAM ? That is how can
> I
> > make nss retrun joe's local password if, joe's
> ldap
> > password already failed ?
> > 
> > One Kludge that I can think of, is to remove the
> > generic getspnam (getpnam) calls in pam_unix &
> > pam_ldap and replace them with function such as 
> > getspnam_ldap, getspnam_local etc.
> > 
> > Any thoughts comments welcome.
> > 
> > 
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail SpamGuard - Read only the mail you
> want.
> > http://antispam.yahoo.com/tools
> > 
> > 
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list


__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools

More information about the Pam-list mailing list