[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP+Kerberos



On Tue, Nov 28, 2000 at 12:16:26PM +1100, Brian May wrote:
> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@ubsw.com> writes:
> 
>     Nicolas> Well, I don't know if you have to authenticate to the
>     Nicolas> LDAP server in order to even perform the lookups that
>     Nicolas> pam_ldap will require to implement its authorization
>     Nicolas> checks. If it does, then you have to keep:
> 
>     Nicolas> account required pam_ldap.so
> 
> hmmm... I was under the impression that this "account" information has
> nothing to do with authentication, but the rest of the users details
> that you would normally find under /etc/passwd (uid, real name, shell,
> home directory, etc).

No. NSS does that and is not related to PAM in any direct way (except
that PAM modules use getpwnam() and getspnam() which would be
implemented by NSS, if you have NSS -- see nsswitch.conf(5)).

The 'account' service is for authorization, as in wether the user is
allowed to login to the application in question. It's also used to
indicate to the application such things as wether the user's password
has expired and so must be changed.

> Anyway, my system is working find with Kerberos for authentication and
> LDAP for this other information. The only serious problem I have is
> with xscreensaver.

Screen locker programs tend to be lousy at implementing PAM correctly.
Dunno why...

>     Nicolas> You may want to use the use_first_password
>     Nicolas> option. Password synchronization will be an issue
> 
> What module takes the use_first_password option? What does it do?

All of them do. The use_first_password argument tells the given module
to use the first password the user typed in and prompt for no other
passwords, even if the first password was incorrect.

As opposed to try_first_password which tells the given module to try the
first password typed in by the user and that, if that password is
incorrect, then the module is free to prompt for additional passwords.

The absence of either argument allows modules to prompt for passwords
without testing the first password typed in by the user.

...
> -- 
> Brian May <bam@snoopy.apana.org.au>


Nico
--