Re: LDAP authentication with PAM

To: Brian May <bam@debian.org>
Cc: <debian-devel@lists.debian.org>
Subject: Re: LDAP authentication with PAM
From: Steve Langasek <vorlon@netexpress.net>
Date: Fri, 13 Apr 2001 22:46:12 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.30.0104132236250.5563-100000@tennyson.netexpress.net>
In-reply-to: <[🔎] 841yqwia09.fsf@snoopy.apana.org.au>

On 14 Apr 2001, Brian May wrote:

> >>>>> "Wichert" == Wichert Akkerman <wichert@cistron.nl> writes:

>     Wichert> auth sufficient pam_unix.so auth required pam_ldap.so
>     Wichert> try_first_pass

> Just curious: what is preferred: try_first_pass or use_first_pass?

Both options are useful in different cases.  If you have a system where your
users must pass *two* authentication methods before being allowed in, you may
want to use 'try_first_pass' so they don't have to type the same password
twice in the case where they match, but they are still prompted for the second
password if it doesn't match the first.  The use_first_pass option, OTOH,
could be useful when you have two authentication databases which each have
different contents, and you want to only prompt the user once; perhaps you
don't want the user to know which auth method is really in use.

Typically, I find myself using use_first_pass for auth modules, and
try_first_pass for password modules.  (in the event that two password
databases fall out of sync, I want some way to recover from it :)

> from December last year on heimdal-discuss:

> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@ubsw.com> writes:

>     Nicolas> All of them do. The use_first_password argument tells the
>     Nicolas> given module to use the first password the user typed in
>     Nicolas> and prompt for no other passwords, even if the first
>     Nicolas> password was incorrect.

>     Nicolas> As opposed to try_first_password which tells the given
>     Nicolas> module to try the first password typed in by the user and
>     Nicolas> that, if that password is incorrect, then the module is
>     Nicolas> free to prompt for additional passwords.

> So use_first_password is more flexible in that the passwords on the
> two different systems could be different, but might cause confusion
> if/when two prompts are displayed.

The above description fits try_first_pass, not use_first_pass.

> (now that is something that I can't see documented anywhere).

It may be mentioned in the original PAM X/Open RFC; both options are
considered 'standard', i.e., all PAM options are expected to support them
where appropriate.

Steve Langasek
postmodern programmer

Reply to:

References:
- Re: LDAP authentication with PAM
  - From: Brian May <bam@debian.org>

Prev by Date: Bug#93920: ITA: lvm
Next by Date: Re: LDAP authentication with PAM
Previous by thread: Re: LDAP authentication with PAM
Next by thread: Re: LDAP authentication with PAM
Index(es):
- Date
- Thread