Re: LDAP authentication with PAM
On Thu, 12 Apr 2001, Ethan Benson wrote:
> On Thu, Apr 12, 2001 at 01:24:56PM +0200, Wichert Akkerman wrote:
> > You can also remove files so PAM will fall back to using /etc/pam.d/other
> > which you can fill with standard settings.
> wouldn't pam_stack be a better option then that? or does pam_stack
> suck?
<tries to find a way to dance around the issue, then gives up>
Yes, pam_stack sucks. It can never work as well as providing reasonable
defaults in /etc/pam.d/other, because there's no way to allow passing of
information between the two stacks, except to the extent that pam_stack itself
allows. It makes it much more difficult to follow the stack flow, especially
for those not overly familiar with PAM. It's not particularly labor-saving,
because there are now two config files to keep track of for every service,
even those services which don't deviate at all from the default settings.
Honestly I think pam_stack is a neat concept, and I can see where it would
come in handy. But using it for all of your services when PAM already has a
mechanism that will get you the same results with less overhead seems silly
to me.
Steve Langasek
postmodern programmer
Reply to: