While trying to use the pam_ldap module available from www.padl.com
I discovered the following problem.
although the module authenticates just fine (using openldap)
the login program fails to permit logins. I traced the problem to
login.c --- the following code is from login.c
my questions are at the bottom.
****************************************************************************
pwd = getpwnam(username);
--------- at this point pwd == NULL due to the fact that the user
--------- does not exist on the local passwd database... see below
/*
* if we have a valid account name, and it doesn't have a
* password, or the -f option was specified and the caller
* is root or the caller isn't changing their uid, don't
* authenticate.
*/
if (pwd != NULL) {
if (pwd->pw_uid == 0)
rootlogin = 1;
if (fflag && (uid == (uid_t)0 ||
uid == (uid_t)pwd->pw_uid)) {
/* already authenticated */
break;
} else if (pwd->pw_passwd[0] == '\0') {
if (!rootlogin || rootok) {
/* pretend password okay */
rval = 0;
goto ttycheck;
}
}
}
fflag = 0;
(void)setpriority(PRIO_PROCESS, 0, -4);
#ifndef NO_PAM
/*
* Try to authenticate using PAM. If a PAM system error
* occurs, perhaps because of a botched configuration,
* then fall back to using traditional Unix authentication.
*/
if ((rval = auth_pam()) == -1)
------------- This returns PAM_SUCCESS since the pam_ldap module has
------------- successfully identified and authenticated the user.
#endif /* NO_PAM */
rval = auth_traditional();
(void)setpriority(PRIO_PROCESS, 0, 0);
#ifndef NO_PAM
/*
* PAM authentication may have changed "pwd" to the
* entry for the template user. Check again to see if
* this is a root login after all.
*/
if (pwd != NULL && pwd->pw_uid == 0)
rootlogin = 1;
#endif /* NO_PAM */
ttycheck:
/*
* If trying to log in as root without Kerberos,
* but with insecure terminal, refuse the login attempt.
*/
------------- This next if is the problem: pwd == NULL from above,
------------- and the user doesn't get in.
if (pwd && !rval) {
if (rootlogin && !rootok)
refused(NULL, "NOROOT", 0);
else /* valid password & authenticated */
break;
}
(void)printf("Login incorrect\n");
failures++;
****************************************************************************
1. what would be the right way to fix this?
2. after the user successfully logs in he still won't have an entry
in the /etc/passwd database, so all syscalls having to do with
identifying the user will fail... how can I have these funcions get
their info from LDAP?
I'm willing to patch and submit these programs, but would like some
feedback about the right way to integrate this.
I checked with a friend who uses linux, and it appears linux doesn't have
this problem since they use the /etc/nsswithc.conf to tell the system
where to get info from. The nsswitch (resolver?) thing seems to
understand ldap.
Thanks folks,
-Oscar
--
For PGP Public Key: finger [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message