[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] Solaris 10
From:       Richard Gilbert <R.Gilbert () sheffield ! ac ! uk>
Date:       2006-06-20 14:32:43
Message-ID: Pine.LNX.4.64.0606201526200.3775 () dyn017208 ! shef ! ac ! uk
[Download RAW message or body]

I have been happily using the PADL pam_ldap with saslauthd on Solaris 8 & 9 
systems for many years.  I have just started using it on a Solaris 10 system 
with saslauthd version 2.1.21 and it looks as though things are a bit 
different.

On the other systems I only needed entries in pam.conf specifying pam_ldap.so.1 
for auth and account, nothing for session.  On the new system I have found that 
authentication fails unless I also have a session entry.  I appreciate 
that the session configuration in pam.conf might still have been used, in 
which case pam_unix.so.1 would have been used, but did not impose any 
restrictions on the ability of users to login, even though they didn't 
have Unix accounts on the machine -- just Cyrus IMAP mailboxes.

A second difference is that I specify a single pam_filter in ldap.conf of 
mailhost=gazelle (the name of the new IMAP server).  However, in the LDAP 
server log file I see that the filter is used twice, e.g.

filter="(&(mailhost=gazelle)(mailhost=gazelle)(uid=xxxx))"

I can't understand the source code but I see

   ssd = session->conf->ssd;
   if (ssd == NULL)
     {
       ssd = &ssdummy;
       ssd->filter = session->conf->filter;
       ssd->base = session->conf->base;
       ssd->scope = session->conf->scope;
       ssd->next = NULL;
     }

so if session->conf->ssd is NULL the filter gets copied and so gets used twice 
immediately afterwards by

       snprintf (filter, sizeof filter, "(&(%s)(%s)(%s=%s))",
                 ssd->filter, session->conf->filter,
 		session->conf->userattr, escapedUser);

So this is two things related to "sessions".  Can anybody explain this and, 
although I don't suppose there is a performance cost, how to avoid the 
pam_filter being duplicated?

Thank you in anticipation.

--
Richard Gilbert
Corporate Information and Computing Services
University of Sheffield, Sheffield, S10 2TN, UK
Phone: +44 114 222 3028   Fax: +44 114 222 3040
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic