Re: cannot use shutdown (and others) with pam_ldap

[Nalin Dahyabhai <nalin@redhat.com>]

On Fri, Mar 17, 2000 at 09:43:46AM -0300, Andreas Hasenack wrote:
> Em Thu, Mar 16, 2000 at 04:07:28PM -0500, Nalin Dahyabhai escreveu:
> > Change all instances of pam_pwdb in your files to pam_unix.  The pam_pwdb
> > module uses pwdb instead of nsswitch for its back-end when lookup up user
> > information, and pwdb doesn't understand things like LDAP or hesiod.
> 
> Huh?
> Well, I don't want it to know about LDAP. That's why I have the pam_ldap module, right?
> Are you implying that with pam_unix alone (and nss_ldap) I can make this whole authentication
> thing work?
> I once sent a message to padl about this and they told me that with only nss_ldap I would
> be able to authenticate users only with crypt-style passwords. And still somewhat limited.

If running "getent passwd someuser" gives you a passwd-style entry for
"someuser", with a crypted password (this is the important part), then
pam_unix will work just fine and you needn't bother with pam_ldap except
for password-changing.

> But going back to the pam_pwdb issue, I know it will fail if a user is only in the LDAP
> directory (it even logs that in /var/log/messages), but then it tries pam_ldap and
> succeeds. What would be the difference with pam_unix?

The pam_pwdb module uses pwdb to retrieve information about users, and pwdb
doesn't know anything about LDAP.  When the PAM library calls pam_pwdb to
do account and session management, it can (and often does) return an error
code (PAM_USER_UNKNOWN) that can hose up the whole thing.

Cheers,

Nalin