Stackable modules and NSS

[Wayne Gowcher]

Hi,

I am implementing an authetication scheme using
stackable modules - in this case pam_unix & pam_ldap.
In most cases everything works fine, but I have one
case ( and maybe some would consider a non valid case
) where authentication fails even though the entered
password was correct. The case is as follows :

You have a common user - call him joe defined locally
and in the ldap database.

You set joe's local password to joelocal, and joe's
ldap password to joeldap.

You set pam_ldap as the first method of authentication
in pam.d/login, and you set ldap as the first Name
Switch Service to be used in etc/nsswitch.conf.

With the above, when I login as user joe, but with
joe's LOCAL password, authentication FAILS, even
through the password is CORRECT.

I believe I have traced this failure down to the
following :

pam_ldap tries to authenticate joe, with username =
joe, and password = joelocal. This of course fails and
so PAM passes authentication to the next level for
pam_unix to have a go.

pam_unix calls getspnam() and because ldap is set as
the first service in etc/nsswitch.conf :

   ldap files

nss retrieves joe's ldap password joeldap. pam_unix
uses this passowrd to compare with the joelocal
password the user typed in , and authentication fails.
:(

I believe this is how it is supposed to work, but what
i am really interested in knowing is, is there anyway
to make nss behave more like PAM ? That is how can I
make nss retrun joe's local password if, joe's ldap
password already failed ?

One Kludge that I can think of, is to remove the
generic getspnam (getpnam) calls in pam_unix &
pam_ldap and replace them with function such as 
getspnam_ldap, getspnam_local etc.

Any thoughts comments welcome.


__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools