Stackable modules and NSS
Michael Chang
miranda at ion.uranus.com
Fri Feb 20 20:08:55 UTC 2004
Wayne,
On Thu, 19 Feb 2004, Wayne Gowcher wrote:
[snip...]
|> The key point I have noted here is that getpnam /
|> getspnam looks up a password according to user name.
|> In my case user joe exists in both the local database
|> and in the ldap database, BUT ( rightly or wrongly )
|> has DIFFERENT passwords. Nss doesn't know joe has
|> different passwords, all it knows is that every time
|> someone calls it asking for user joe's password, nss
|> looks up the user in it's databases according to the
|> order set in nsswitch.conf. So in this case, Nss will
|> always choose the first ( _nss_ldap_getpnam ) and so
|> when pam unix tries to verify the password returned by
|> getpnam against what the user typed in, it will always
|> fail.
But what is the proper behaviour for NSS when a particular
module fails? Is it really supposed to return a failure
status for the entire "stack," or is it supposed to try
the next module if the previous one failed?
It would seem logical for NSS to try the next module (assuming
one exists inside nsswitch.conf).
If I had to take a stab at it, I would put the following
inside of nsswitch.conf:
passwd: files [!SUCCESS=continue] ldap
shadow: files [!SUCCESS=continue] ldap
Does that make sense?
HTW (Hope That Works),
Michael
|> _______________________________________________
|> Pam-list mailing list
|> Pam-list at redhat.com
|> https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list