From owner-freebsd-hackers Fri Jul 16 7:13:32 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from voyager.fisicc-ufm.edu (ip-46-094.guate.net [200.12.46.94]) by hub.freebsd.org (Postfix) with ESMTP id 3A54214E3D for ; Fri, 16 Jul 1999 07:13:12 -0700 (PDT) (envelope-from obonilla@voyager.fisicc-ufm.edu) Received: (from obonilla@localhost) by voyager.fisicc-ufm.edu (8.9.3/8.9.3) id UAA15071 for freebsd-hackers@freebsd.org; Thu, 15 Jul 1999 20:03:36 -0600 (CST) (envelope-from obonilla) Date: Thu, 15 Jul 1999 20:03:36 -0600 From: Oscar Bonilla To: freebsd-hackers@freebsd.org Subject: PAM & LDAP in FreeBSD Message-ID: <19990715200336.A15050@fisicc-ufm.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG While trying to use the pam_ldap module available from www.padl.com I discovered the following problem. although the module authenticates just fine (using openldap) the login program fails to permit logins. I traced the problem to login.c --- the following code is from login.c my questions are at the bottom. **************************************************************************** pwd = getpwnam(username); --------- at this point pwd == NULL due to the fact that the user --------- does not exist on the local passwd database... see below /* * if we have a valid account name, and it doesn't have a * password, or the -f option was specified and the caller * is root or the caller isn't changing their uid, don't * authenticate. */ if (pwd != NULL) { if (pwd->pw_uid == 0) rootlogin = 1; if (fflag && (uid == (uid_t)0 || uid == (uid_t)pwd->pw_uid)) { /* already authenticated */ break; } else if (pwd->pw_passwd[0] == '\0') { if (!rootlogin || rootok) { /* pretend password okay */ rval = 0; goto ttycheck; } } } fflag = 0; (void)setpriority(PRIO_PROCESS, 0, -4); #ifndef NO_PAM /* * Try to authenticate using PAM. If a PAM system error * occurs, perhaps because of a botched configuration, * then fall back to using traditional Unix authentication. */ if ((rval = auth_pam()) == -1) ------------- This returns PAM_SUCCESS since the pam_ldap module has ------------- successfully identified and authenticated the user. #endif /* NO_PAM */ rval = auth_traditional(); (void)setpriority(PRIO_PROCESS, 0, 0); #ifndef NO_PAM /* * PAM authentication may have changed "pwd" to the * entry for the template user. Check again to see if * this is a root login after all. */ if (pwd != NULL && pwd->pw_uid == 0) rootlogin = 1; #endif /* NO_PAM */ ttycheck: /* * If trying to log in as root without Kerberos, * but with insecure terminal, refuse the login attempt. */ ------------- This next if is the problem: pwd == NULL from above, ------------- and the user doesn't get in. if (pwd && !rval) { if (rootlogin && !rootok) refused(NULL, "NOROOT", 0); else /* valid password & authenticated */ break; } (void)printf("Login incorrect\n"); failures++; **************************************************************************** 1. what would be the right way to fix this? 2. after the user successfully logs in he still won't have an entry in the /etc/passwd database, so all syscalls having to do with identifying the user will fail... how can I have these funcions get their info from LDAP? I'm willing to patch and submit these programs, but would like some feedback about the right way to integrate this. I checked with a friend who uses linux, and it appears linux doesn't have this problem since they use the /etc/nsswithc.conf to tell the system where to get info from. The nsswitch (resolver?) thing seems to understand ldap. Thanks folks, -Oscar -- For PGP Public Key: finger obonilla@fisicc-ufm.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message