Re: using LDAP as central authentication unit

[Tony Earnshaw <tonni@hetnet.nl>]

Hamidreza Hamedtoolloei skrev, on 22-02-2008 09:49:

> http://www.linux.com/articles/113567 describes the "sufficient" modifier 
> as follows:
> If a sufficient module succeeds, it is enough to satisfy the 
> requirements of sufficient modules in that realm for use of the service, 
> and modules below it that are also listed as 'sufficient' are not invoked.
>
> given the following /etc/pam.d/system.auth file:
>  auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
>  auth        required      /lib/security/$ISA/pam_deny.so
> I think LDAP is used ONLY if the unix authentication fails?? right??? am 
> I missing something???

I don't suppose that, reading the article you quote, you're missing 
anything, but I've just played around with my test machine's FC6 
/etc/pam.d/system-auth and found the following for the auth service:

1: Where a user is in both LDAP and /etc/{passwd,shadow} only the 
pam_unix.so password counts, even though the position of the pam_unix.so 
and pam_ldap.so lines is swapped. Changing the LDAP entry's password 
doesn't make any difference to pam;
2: Where a user is only in LDAP the pam_unix.so auth entry is ignored, 
whatever its position;
3: Commenting out the pam_unix.so line results in all login attempts by 
everyone to be invalid. So not even root can log in any longer.

So I'd say that the stuff is far more complicated than the author 
states. Perhaps people are thinking about the nsswitch.conf entries. 
However, a recent thread in the pam_ldap mailing list hinted that things 
might be different for systems on which Padl's CNS pam_ldap library is 
installed, rather than Red Hat's version - as on my machines.

To avoid completely "missing something" I suggest you try it out for 
yourself ;)

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl