Re: On PAM and authentication
Tom Lees <firstname.lastname@example.org> writes:
> I recently tried out LDAP on my machine for authentication. I used tools
> available at http://www.rage.net/ldap/, and I'm pleased to say it works.
> By using the NSS module, it works with all existing tools, including XDM,
> etc., that I have tried, except for tin (my version is libc5 though),
> and passwd, gpasswd, etc (for users authenticated via LDAP).
> Presumably this implies that if we use PAM for authentication, AND have a
> /lib/libnss_pam.so.1 library, not many mods will NEED to be done (although
> for full PAM support mods will be necessary, AFAICT).
I would prefer that Debian not use libnss_pam.so.1.
It turns out that for PAM to work well without confusing the user
(i.e. for NIS to work without tweaking /etc/pwdb.conf), we need to use
pam_unix_* instead of pam_pwdb. If when then used libnss_pam.so.1, we
would have a loop, pam would call glibc, which would call pam.