Re: LDAP+Kerberos

[Brian May <bam@snoopy.apana.org.au>]

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@ubsw.com> writes:

    Nicolas> No. NSS does that and is not related to PAM in any direct
    Nicolas> way (except that PAM modules use getpwnam() and
    Nicolas> getspnam() which would be implemented by NSS, if you have
    Nicolas> NSS -- see nsswitch.conf(5)).

    Nicolas> The 'account' service is for authorization, as in wether
    Nicolas> the user is allowed to login to the application in
    Nicolas> question. It's also used to indicate to the application
    Nicolas> such things as wether the user's password has expired and
    Nicolas> so must be changed.

Oh.. yeah... of course... I knew that ;-)

    Nicolas> All of them do. The use_first_password argument tells the
    Nicolas> given module to use the first password the user typed in
    Nicolas> and prompt for no other passwords, even if the first
    Nicolas> password was incorrect.

    Nicolas> As opposed to try_first_password which tells the given
    Nicolas> module to try the first password typed in by the user and
    Nicolas> that, if that password is incorrect, then the module is
    Nicolas> free to prompt for additional passwords.

    Nicolas> The absence of either argument allows modules to prompt
    Nicolas> for passwords without testing the first password typed in
    Nicolas> by the user.

Wow! I often thought this was... errr... questionable prompting for
the password multiple times. However, I never realized that this
behaviour could be changed.

Thanks for the tip.

To add to my "remember this" list:

try_first_pass
use_first_pass
-- 
Brian May <bam@snoopy.apana.org.au>