Stackable modules and NSS

Joe Lewis joe at joe-lewis.com
Thu Feb 19 23:11:35 UTC 2004 

Try putting files before ldap :

   files ldap

And see if that aids you.  Of course, they will have the local 
permisions, but that is kinda what you wanted, right?

Joe (the real joe)

Wayne Gowcher wrote:

> Hi,
> 
> I am implementing an authetication scheme using
> stackable modules - in this case pam_unix & pam_ldap.
> In most cases everything works fine, but I have one
> case ( and maybe some would consider a non valid case
> ) where authentication fails even though the entered
> password was correct. The case is as follows :
> 
> You have a common user - call him joe defined locally
> and in the ldap database.
> 
> You set joe's local password to joelocal, and joe's
> ldap password to joeldap.
> 
> You set pam_ldap as the first method of authentication
> in pam.d/login, and you set ldap as the first Name
> Switch Service to be used in etc/nsswitch.conf.
> 
> With the above, when I login as user joe, but with
> joe's LOCAL password, authentication FAILS, even
> through the password is CORRECT.
> 
> I believe I have traced this failure down to the
> following :
> 
> pam_ldap tries to authenticate joe, with username =
> joe, and password = joelocal. This of course fails and
> so PAM passes authentication to the next level for
> pam_unix to have a go.
> 
> pam_unix calls getspnam() and because ldap is set as
> the first service in etc/nsswitch.conf :
> 
>    ldap files
> 
> nss retrieves joe's ldap password joeldap. pam_unix
> uses this passowrd to compare with the joelocal
> password the user typed in , and authentication fails.
> :(
> 
> I believe this is how it is supposed to work, but what
> i am really interested in knowing is, is there anyway
> to make nss behave more like PAM ? That is how can I
> make nss retrun joe's local password if, joe's ldap
> password already failed ?
> 
> One Kludge that I can think of, is to remove the
> generic getspnam (getpnam) calls in pam_unix &
> pam_ldap and replace them with function such as 
> getspnam_ldap, getspnam_local etc.
> 
> Any thoughts comments welcome.
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail SpamGuard - Read only the mail you want.
> http://antispam.yahoo.com/tools
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

More information about the Pam-list mailing list