[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Deprecating pam_stack.so



On 10/11/05, Lamont R. Peterson <lamont gurulabs com> wrote:
> On Tuesday 11 October 2005 06:06pm, Bernardo Innocenti wrote:
> > Tomas Mraz wrote:
> > > Linux-PAM 0.78 and later contains include directive which obsoletes
> > > using the pam_stack module. This module is rather a hack as it requires
> > > access to pam library internals for its operation and will never be
> > > accepted to upstream.
> >
> > Thank you.  Simplifying PAM configuration was badly needed.
> >
> > I have a few wishlist entries to submit, if you have time to
> > consider them:
> >
> >  - For some reason, pam_ldap interacts strangely with pam_unix.
> >    Even tough pam_unix comes before it and is "sufficient",
>
> Not sure how to explain that.
>
> >    nobody can login when the network is down or slapd is down.
>
> That is normal...unless you have configured your systems to cache
> authentication credentials locally so that they can authenticate
> disconnected.
>

I think the problem comes with outside expectations. The idea would be
that if the pam_unix comes back with a correct passwd as "sufficient"
etc it then you shouldn't need pam_krb/pam_ldap. The problem is that
the pam model seems to try to check the ones below even when not
needed (possibly because something lower in the stack could invalidate
it?) So when the network is down, it acts like a show-stopper (either
through a network timeout longer than the login timeout) or coming
back as a failure and pam counting it.

Putting in timeout modes and such didnt seem to help me when I tried
this back in RHL 7.3 days.. It has been a problem with our laptop
users because it effectively requires them to re-run authconfig
whenever they go off the wire.

--
Stephen J Smoogen.
CSIRT/Linux System Administrator


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]