PAM modules violating PAM architecture?, e.g. mod_auth_pam

Jed Donnelley jed at nersc.gov
Wed Oct 6 21:51:43 UTC 2004


At 02:28 PM 10/6/2004, Tony den Haan wrote:
>On Wednesday 06 October 2004 20:44, Jed Donnelley wrote:
>
> > As I understand the PAM architecture (as on the diagram above) this should
> > work to use with apache authentication being forwarded to LDAP.  However, I
> > found that
> > I needed to include:
> >
> > passwd:    files ldap
> > group:       files ldap
> >
> > in my /etc/nsswitch.conf file to get it to function.  This meant I couldn't
> > use it in my system as it forced all sorts of LDAP users and groups to
> > be on the system (e.g. for login, file access, etc., etc.) that should not
> > be on the system.
>
>nopes,

?

>you need nss_ldap for that, which comes from the same padl.com
>people who wrote pam_ldap.

Correct, but of course I have nss_ldap functioning and I need to
do so if those calls to getpwnam and getgrnam are going to function
for the users and groups that are only visible through LDAP.

The bottom line is the way mod_auth_pam is coded, getpwnam and
getrgnam must function for the users/groups that I want to authenticate
from apache with mod_auth_pam.  For those functions to work for those
users/groups the users/groups must appear as if they are in
/etc/passwd and /etc/group - e.g. by use of lib_nss and nss_ldap.

--Jed http://www.nersc.gov/~jed/ 




More information about the Pam-list mailing list