Re: Solaris 10

Richard Gilbert wrote:

I have been happily using the PADL pam_ldap with saslauthd on Solaris 8 & 9
systems for many years.  I have just started using it on a Solaris 10 system
with saslauthd version 2.1.21 and it looks as though things are a bit
different.

On the other systems I only needed entries in pam.conf specifying pam_ldap.so.1
for auth and account, nothing for session.  On the new system I have found that
authentication fails unless I also have a session entry.  I appreciate
that the session configuration in pam.conf might still have been used, in
which case pam_unix.so.1 would have been used, but did not impose any
restrictions on the ability of users to login, even though they didn't
have Unix accounts on the machine -- just Cyrus IMAP mailboxes.

A second difference is that I specify a single pam_filter in ldap.conf of
mailhost=gazelle (the name of the new IMAP server).  However, in the LDAP
server log file I see that the filter is used twice, e.g.

filter="(&(mailhost=gazelle)(mailhost=gazelle)(uid=xxxx))"

I can't understand the source code but I see

   ssd = session->conf->ssd;
   if (ssd == NULL)
     {
       ssd = &ssdummy;
       ssd->filter = session->conf->filter;
       ssd->base = session->conf->base;
       ssd->scope = session->conf->scope;
       ssd->next = NULL;
     }

so if session->conf->ssd is NULL the filter gets copied and so gets used twice
immediately afterwards by

       snprintf (filter, sizeof filter, "(&(%s)(%s)(%s=%s))",
                 ssd->filter, session->conf->filter,
  session->conf->userattr, escapedUser);

So this is two things related to "sessions".  Can anybody explain this and,
although I don't suppose there is a performance cost, how to avoid the
pam_filter being duplicated?

Thank you in anticipation.

--
Richard Gilbert
Corporate Information and Computing Services
University of Sheffield, Sheffield, S10 2TN, UK
Phone: +44 114 222 3028   Fax: +44 114 222 3040