[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM authentication failure

From: Yves Martin
Subject: Re: PAM authentication failure
Date: Tue, 21 Aug 2007 11:33:07 +0200

On Mon, 2007-08-20 at 17:43 +0200, Yves Martin wrote:

> I really agrees that "ldapuser" is not a system user, but I expect the
> "switch_to_user" method to use "cvs" account.

I have debugged the source code. Here is my analysis in case of a non
existing account on the local system:

1. pam_set_item PAM_USER succeeds in my installation, so "ldapuser" is
never replace by "DefaultPamUser". To work-around, I have replaced the
test-call to pam_set_item by getpwnam to check if the account exists
locally - because getpwnam finally fails in switch_to_user.

2. then check_pam_password replaces "username" (ldapuser) by the
"DefaultPamUser" (cvs)
3. check_password at "handle_return", "CVS_Username" is set to
"username" (too late !!) with "cvs" (instead of ldapuser)
4. switch_to_user is called with (ldapuser, cvs)
5. but pam_get_item (pamh, PAM_USER, (const void **)&username) called
there replaces "cvs" by "ldapuser" from the pam context I guess.
6. as a result getpwnam failed because username == "ldapupser"

The only valid information I have found about the PAM support in Debian
cvs is:

I'm working on a patch but my proposal is not to replace "username" in
check_pam_password but to return a "host_user" value for check_password.
In that case, I wonder if a "map=user" option in the PAM chain is
supposed to work or not ?

Thank you in advance for your help
Yves Martin

reply via email to

[Prev in Thread] Current Thread [Next in Thread]