On Mon, 2007-08-20 at 17:43 +0200, Yves Martin wrote: > I really agrees that "ldapuser" is not a system user, but I expect the > "switch_to_user" method to use "cvs" account.
I have debugged the source code. Here is my analysis in case of a non existing account on the local system: 1. pam_set_item PAM_USER succeeds in my installation, so "ldapuser" is never replace by "DefaultPamUser". To work-around, I have replaced the test-call to pam_set_item by getpwnam to check if the account exists locally - because getpwnam finally fails in switch_to_user. 2. then check_pam_password replaces "username" (ldapuser) by the "DefaultPamUser" (cvs) 3. check_password at "handle_return", "CVS_Username" is set to "username" (too late !!) with "cvs" (instead of ldapuser) 4. switch_to_user is called with (ldapuser, cvs) 5. but pam_get_item (pamh, PAM_USER, (const void **)&username) called there replaces "cvs" by "ldapuser" from the pam context I guess. 6. as a result getpwnam failed because username == "ldapupser" The only valid information I have found about the PAM support in Debian cvs is: http://olympus.het.brown.edu/cgi-bin/info2www?(cvs)Password +authentication+server I'm working on a patch but my proposal is not to replace "username" in check_pam_password but to return a "host_user" value for check_password. In that case, I wonder if a "map=user" option in the PAM chain is supposed to work or not ? Thank you in advance for your help -- Yves Martin
