Re: LDAP authentication with PAM

To: Brian May <bam@debian.org>
Cc: <debian-devel@lists.debian.org>
Subject: Re: LDAP authentication with PAM
From: Steve Langasek <vorlon@netexpress.net>
Date: Fri, 13 Apr 2001 10:27:48 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.30.0104131003420.3568-100000@tennyson.netexpress.net>
In-reply-to: <[🔎] 84k84pvdfj.fsf@snoopy.apana.org.au>

On 13 Apr 2001, Brian May wrote:

>     Steve> Honestly I think pam_stack is a neat concept, and I can see
>     Steve> where it would come in handy.  But using it for all of your
>     Steve> services when PAM already has a mechanism that will get you
>     Steve> the same results with less overhead seems silly to me.

> What is pam_stack? (doesn't seem to be included on my stable
> installation).

pam_stack is a module written by RedHat that recursively invokes PAM with a
different service name.  If they hadn't taken the /etc/pam.d/other example
from the Linux-PAM documentation literally (filled with pam_deny) and turned
it into policy, the module would probably never have been written.  For
reasons that I cannot fathom, they believe it's insecure to allow services
with no explicit PAM configuration to authenticate and allow access according
to a default system policy.

> Oh, if no password service is found inside /etc/pam.d/login (for
> instance) will it look in /etc/pam.d/other? I think it does.

Yes.  PAM falls back to /etc/pam.d/other on a per-section basis.  If you have
auth and session configured for the service, and the application invokes
pam_acct_mgmt(), libpam will look for the 'account' block in /etc/pam.d/other.

> Some bugs do exist of stable:

> snoopy:/etc/pam.d# passwd bam
> New UNIX password:
> Retype new UNIX password:
> LDAP password information changed for bam
> passwd: password updated successfully

> Actually I was pushing ctrl^C trying to abort... Can't it make up its
> mind if its updating UNIX or LDAP? (this only happens when done as
> root with a /etc/ldap.secret file).

Not a bug, a feature. ;)  Password prompts are typically handled by the first
module on the stack.  So pam_unix gets to prompt for the new password, but
pam_ldap prints its own status message after the passwords have been updated
successfully.

There's a module (not included in Debian yet to my knowledge) whose function
is to allow customized password prompts.  It prompts for the authentication
token with the prompt text you've configured, and stores the token so other
modules in the stack can access it.

Steve Langasek
postmodern programmer

Reply to:

References:
- Re: LDAP authentication with PAM
  - From: Brian May <bam@debian.org>

Prev by Date: [Q] gs 5.50 with new HP Ink Jet Drivers
Next by Date: Bugs against Debian CD's
Previous by thread: Re: LDAP authentication with PAM
Next by thread: Re: LDAP authentication with PAM
Index(es):
- Date
- Thread