Re: SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap + cyrus-imapd-2.0.x)

[ichbin]

> > What exactly is the problem under consideration that
> > (given the appropriate modules) PAM doesn't solve?
> 
> Just one, IMHO. PAM needs root access.

Interesting that your one problem is different from Lawrence 
Greenfeld's.

PAM only needs root access if it's authenticating off /etc/shadow. Few 
medium-to-large scale operations today distribute passwords via NIS to 
shadow files. Most, like mine, use LDAP, and you can authenticate off 
an LDAP database without being root. For a very secure setup, hash the 
passwords in the LDAP database (gives shadow-like security) and grant 
compare access to your client machines (allows them to authenticate 
without even read access).