|

»

»

»

Calling pam_ldap more then once

View: New views

6 Messages — Rating Filter: Alert me

	Calling pam_ldap more then once by Paul Khavkine :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi folks. I'm trying to figure out if it's possible to call pam_ldap more then once, like: auth sufficient /usr/local/lib/pam_ldap.so config=/path/to/conf1.conf auth sufficient /usr/local/lib/pam_ldap.so config=/path/to/conf2.conf I have tried it but it doesn't seem to work. Would this be possible ? Thanx Paul signature.asc (314 bytes) Download Attachment
	Re: Calling pam_ldap more then once by Paul Khavkine :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, 2006-05-18 at 16:17 -0400, Paul Khavkine wrote: > > Hi folks. > > > I'm trying to figure out if it's possible to call pam_ldap more then > once, like: > > auth sufficient /usr/local/lib/pam_ldap.so config=/path/to/conf1.conf > auth sufficient /usr/local/lib/pam_ldap.so config=/path/to/conf2.conf > > > I have tried it but it doesn't seem to work. > Would this be possible ? > > > Thanx > Paul > Hello. It seems that i'll have to answer my question myself. Here's a bit of a background: We had an OpenLDAP server fail because of an application that was piling up open connection to the LDAP server. Eventually it ran out of file descriptors and became unstable. We have a relplica server that out applications using PAM were configured to use as a failover host, like our mail server. However, the first LDAP server would accept TCP connections and sometimes even return partial data, so the configured PAM modules was not failing over properly since it was failing in ldap_result() and not in ldap_init(). To go around it, i have tried to use 2 pam_ldap instances with 2 config files having different "host" configs for 2 servers. like following: auth sufficient config=/path/to/conf1.conf auth sufficient config=/path/to/conf2.conf use_first_pass This did not work however, the second instance did not seem to be called. After looking at the code and doing some debugging, i found that it did indeed run but the config file was necer re-read so it kept connecting to the first LDAP server for both instances. I'm not sure if it's a bug or not, but because the caching code inside pam_ldap_get_session() function doesn't clear the config structure in case where the config file is different from the previous invocations ( after calling pam_get_data() ). Is there any reason why it would do that ? If not i have a patch that will fix that. Thanx Paul signature.asc (314 bytes) Download Attachment
	Re: Re: Calling pam_ldap more then once by Andrew Morgan :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, 19 May 2006, Paul Khavkine wrote: > On Thu, 2006-05-18 at 16:17 -0400, Paul Khavkine wrote: >> >> Hi folks. >> >> >> I'm trying to figure out if it's possible to call pam_ldap more then >> once, like: >> >> auth sufficient /usr/local/lib/pam_ldap.so config=/path/to/conf1.conf >> auth sufficient /usr/local/lib/pam_ldap.so config=/path/to/conf2.conf >> >> >> I have tried it but it doesn't seem to work. >> Would this be possible ? >> >> >> Thanx >> Paul >> > > Hello. > > > It seems that i'll have to answer my question myself. > > Here's a bit of a background: > > We had an OpenLDAP server fail because of an application that was piling > up open connection to the LDAP server. Eventually it ran out of file > descriptors and became unstable. We have a relplica server that out > applications using PAM were configured to use as a failover host, like > our mail server. > > However, the first LDAP server would accept TCP connections and > sometimes even return partial data, so the configured PAM modules > was not failing over properly since it was failing in ldap_result() > and not in ldap_init(). > > To go around it, i have tried to use 2 pam_ldap instances with 2 config > files having different "host" configs for 2 servers. > like following: > > auth sufficient config=/path/to/conf1.conf > auth sufficient config=/path/to/conf2.conf use_first_pass > > > This did not work however, the second instance did not seem to be > called. > > After looking at the code and doing some debugging, i found that it > did indeed run but the config file was necer re-read so it kept > connecting to the first LDAP server for both instances. > > I'm not sure if it's a bug or not, but because the caching code > inside pam_ldap_get_session() function doesn't clear the config > structure in case where the config file is different from the previous > invocations ( after calling pam_get_data() ). > > Is there any reason why it would do that ? > If not i have a patch that will fix that. Since pam_ldap is implemented as a .so library, maybe it can't be loaded twice differently? Have you tried making a copy of libpam_ldap.so under a different name (libpam_ldap2.so?) and referencing that in your pam.conf? Andy
	Re: Re: Calling pam_ldap more then once by Luke Howard :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message The problem is that pam_ldap caches session information and so cannot be instantiated multiple times in a stack. -- Luke --
	RE: Re: Calling pam_ldap more then once by Paul Khavkine :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message RE: [pamldap] Re: Calling pam_ldap more then once Yesh, i figured that, but when you cache, and the module gets called with a different config file, then the cache can be considered no good anymore, so there's little use in that. I made a patch that detects config file name change, so in that case it will invaliidate the cache. This will permit to cache connection info as long as the config file doesn't change and use the new file if it does, so you can fail over on per instance basis instead of just when you bind to the server. I can post it if you like. Paul -----Original Message----- From: Luke Howard [lukeh@...] Sent: Tue 5/23/2006 1:22 AM To: morgan@... Cc: Paul Khavkine; pamldap@... Subject: Re: [pamldap] Re: Calling pam_ldap more then once The problem is that pam_ldap caches session information and so cannot be instantiated multiple times in a stack. -- Luke --
	RE: Re: Calling pam_ldap more then once by spidee :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message >Hi >Yesh, i figured that, but when you cache, and the module gets called with a different >config file, then the cache can be considered no good anymore, so there's little >use in that. I made a patch that detects config file name change, so in that case >it will invaliidate the cache. >This will permit to cache connection info as long as the config file doesn't change >and use the new file if it does, so you can fail over on per instance basis instead >of just when you bind to the server. >I can post it if you like. Paul , Would like to see the patch if poss. I need to call two different ldap servers in our pam ldap configuration. Both servers have different schemas, one holds the password and the other holds all the posixAccount stuff. Cheers,

LightInTheBox - Buy quality products at wholesale price