[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PAM authentication failure
|
From: |
Yves Martin |
|
Subject: |
Re: PAM authentication failure |
|
Date: |
Tue, 21 Aug 2007 11:33:07 +0200 |
On Mon, 2007-08-20 at 17:43 +0200, Yves Martin wrote:
> I really agrees that "ldapuser" is not a system user, but I expect the
> "switch_to_user" method to use "cvs" account.
I have debugged the source code. Here is my analysis in case of a non
existing account on the local system:
1. pam_set_item PAM_USER succeeds in my installation, so "ldapuser" is
never replace by "DefaultPamUser". To work-around, I have replaced the
test-call to pam_set_item by getpwnam to check if the account exists
locally - because getpwnam finally fails in switch_to_user.
2. then check_pam_password replaces "username" (ldapuser) by the
"DefaultPamUser" (cvs)
3. check_password at "handle_return", "CVS_Username" is set to
"username" (too late !!) with "cvs" (instead of ldapuser)
4. switch_to_user is called with (ldapuser, cvs)
5. but pam_get_item (pamh, PAM_USER, (const void **)&username) called
there replaces "cvs" by "ldapuser" from the pam context I guess.
6. as a result getpwnam failed because username == "ldapupser"
The only valid information I have found about the PAM support in Debian
cvs is:
http://olympus.het.brown.edu/cgi-bin/info2www?(cvs)Password
+authentication+server
I'm working on a patch but my proposal is not to replace "username" in
check_pam_password but to return a "host_user" value for check_password.
In that case, I wonder if a "map=user" option in the PAM chain is
supposed to work or not ?
Thank you in advance for your help
--
Yves Martin