[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Deprecating pam_stack.so



On Tuesday 11 October 2005 06:06pm, Bernardo Innocenti wrote:
> Tomas Mraz wrote:
> > Linux-PAM 0.78 and later contains include directive which obsoletes
> > using the pam_stack module. This module is rather a hack as it requires
> > access to pam library internals for its operation and will never be
> > accepted to upstream.
>
> Thank you.  Simplifying PAM configuration was badly needed.
>
> I have a few wishlist entries to submit, if you have time to
> consider them:
>
>  - For some reason, pam_ldap interacts strangely with pam_unix.
>    Even tough pam_unix comes before it and is "sufficient",

Not sure how to explain that.

>    nobody can login when the network is down or slapd is down.

That is normal...unless you have configured your systems to cache 
authentication credentials locally so that they can authenticate 
disconnected.

>    Also, you can login as root with root's password from ldap
>    even tough there's a valid root entry in /etc/passwd.

Yup.  That's normal, because, when the pam_unix.so check for root fails, the 
"sufficient" line will not affect the overall outcome of the authentication 
attempt, then PAM moves on to the next line and succeeds with the sufficient 
pam_ldap.so line.

This is part of the reason why having root credentials in your central 
authentication store is a BIG NO-NO.  You should *only* have root credentials 
locally on each machine.

[SNIP]
-- 
Lamont R. Peterson <lamont gurulabs com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]

Attachment: pgpwWDOsf8O0I.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]