On Thu, 2010-06-03 at 22:00 +0200, Arthur de Jong wrote: > I have just done some testing and if LDAP does not provide /etc/shadow > information (not entirely unheard of) pam_unix does not return success. > In this configuration you would need to have pam_ldap as Primary or move > everything to Additional. I haven't tested what happens if LDAP provides > empty shadow information. > > To get all modules playing along nicely in the Additional section for > all tested configurations you need to have this as control expression > for every module (at least for pam_unix and pam_ldap): > [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore > authinfo_unavail=ignore default=bad] > This is quite a long list and a bit ugly but works for both > configurations. > > I don't think it's unreasonable to not provide shadow information from > LDAP. In fact in some ways it is nicer (you don't get authentication > failure messages in your log from pam_unix).
I have done more testing but have not come up with a working configuration for libpam-ldapd where authorisation works in both scenario's (having nss_ldap provide shadow information or not). If nss_ldap does provide shadow information pam_ldap should be additional, if it doesn't pam_ldap should be primary. For the coming release of libpam-ldapd I've moved pam_ldap to additional because it does not do all the authorisation checks that pam_unix does and I believe providing LDAP shadow information is the most common configuration. I still think that for authorisation checks there should be no distinction between primary and additional. The following configuration works regardless of whether shadow information is provided: account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_unix.so debug account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 debug The above still properly validates shadow information if it is available. I have not been able to come up with a reasonable change to pam_unix in the primary block to get both configurations working. Adding user_unknown=end authinfo_unavail=end works but defeats the whole purpose of the primary section. Another option altogether (haven't looked into this yet) is to provide pam_ldap both as primary and additional. This is really ugly (if at all possible with pam-auth-update) but it may just work. -- -- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part

