[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cannot use shutdown (and others) with pam_ldap



Em Thu, Mar 16, 2000 at 04:07:28PM -0500, Nalin Dahyabhai escreveu:
> On Thu, Mar 16, 2000 at 05:03:16PM -0300, Andreas Hasenack wrote:
> > My /etc/pam.d/shutdown:
> > 
> > #%PAM-1.0
> > auth       sufficient	/lib/security/pam_rootok.so
> > auth       required	/lib/security/pam_console.so
> > auth       sufficient	/lib/security/pam_pwdb.so
> > auth       required	/lib/security/pam_ldap.so use_first_pass
> > account    required	/lib/security/pam_permit.so
> 
> Change all instances of pam_pwdb in your files to pam_unix.  The pam_pwdb
> module uses pwdb instead of nsswitch for its back-end when lookup up user
> information, and pwdb doesn't understand things like LDAP or hesiod.

Huh?
Well, I don't want it to know about LDAP. That's why I have the pam_ldap module, right?
Are you implying that with pam_unix alone (and nss_ldap) I can make this whole authentication
thing work?
I once sent a message to padl about this and they told me that with only nss_ldap I would
be able to authenticate users only with crypt-style passwords. And still somewhat limited.

But going back to the pam_pwdb issue, I know it will fail if a user is only in the LDAP
directory (it even logs that in /var/log/messages), but then it tries pam_ldap and
succeeds. What would be the difference with pam_unix?

> I've just tested this with the packaged versions from Raw Hide
> (ftp://ftp.redhat.com/pub/rawhide/i386/RedHat/RPMS/), and it appears to
> work correctly.

OK, thanks a lot! I will try it out.

-- 
Andreas Hasenack
andreas@conectiva.com.br