On Fri, 2010-06-25 at 23:38 +0200, Arthur de Jong wrote: > For the coming release of libpam-ldapd I've moved pam_ldap to additional > because it does not do all the authorisation checks that pam_unix does > and I believe providing LDAP shadow information is the most common > configuration.
Since squeeze has been released, do you think it is time to re-visit the use of the primary and additional sections when doing authorisation? A reason to have separate sections for authorisation would be to have some separation between local and remote checks (to provide quick answers for local users when the network is down). Then again who's to say that some remote service couldn't enforce a policy for local users? Also primary and additional do not currently provide that separation. For authentication the use-case is pretty clear. There should be one primary module that provides a definitive answer and the additional are mainly once that do extra checks (some should probably use session instead but may be in authentication for practical reasons). For authorisation at least one module should grant access and no module should refuse access (we can safely ignore modules that say user unknown or similar). I'm not sure about the session stage though. I would expect it work similar to authorisation but perhaps the outcome of the stack is less interesting. I'm not much much of an expert on PAM so I may have missed a few things. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
