On Thu, 2010-06-03 at 22:00 +0200, Arthur de Jong wrote:
> I have just done some testing and if LDAP does not provide /etc/shadow
> information (not entirely unheard of) pam_unix does not return success.
> In this configuration you would need to have pam_ldap as Primary or move
> everything to Additional. I haven't tested what happens if LDAP provides
> empty shadow information.
> 
> To get all modules playing along nicely in the Additional section for
> all tested configurations you need to have this as control expression
> for every module (at least for pam_unix and pam_ldap):
>   [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore
>   authinfo_unavail=ignore default=bad]
> This is quite a long list and a bit ugly but works for both
> configurations.
> 
> I don't think it's unreasonable to not provide shadow information from
> LDAP. In fact in some ways it is nicer (you don't get authentication
> failure messages in your log from pam_unix).

I have done more testing but have not come up with a working
configuration for libpam-ldapd where authorisation works in both
scenario's (having nss_ldap provide shadow information or not).

If nss_ldap does provide shadow information pam_ldap should be
additional, if it doesn't pam_ldap should be primary.

For the coming release of libpam-ldapd I've moved pam_ldap to additional
because it does not do all the authorisation checks that pam_unix does
and I believe providing LDAP shadow information is the most common
configuration.


I still think that for authorisation checks there should be no
distinction between primary and additional. The following configuration
works regardless of whether shadow information is provided:

account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
authinfo_unavail=ignore default=bad]        pam_unix.so debug
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000 debug

The above still properly validates shadow information if it is
available.


I have not been able to come up with a reasonable change to pam_unix in
the primary block to get both configurations working. Adding
user_unknown=end authinfo_unavail=end works but defeats the whole
purpose of the primary section.


Another option altogether (haven't looked into this yet) is to provide
pam_ldap both as primary and additional. This is really ugly (if at all
possible with pam-auth-update) but it may just work.

-- 
-- arthur - [email protected] - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to