Tricky PAM
Yes, the old fashioned Unix PAM, seems to be not too easy once you want to do non standard things. PAM: Pluggable Authentication Modules.
Imagine the following situation, you have three modules, A, B and C, and you want to authenticate a user with either A or B and always succeed C. In our particular case C would not authenticate by itself, that is if A and B were both false C would never authenticate by itself. That is (A v B) ^ C, or (A || B ) && C. Or better written (A v B) ^ (C v ¬C), meaning that C needs to be evaluated.
Reading our helpful man page pam.conf we come to the following keywords required, requisite, sufficient and optional. Let’s see:
sufficient A required B required C
would turn out to: A v (B ^ C). That is if A is success it will never evaluate C. Having the three modules required would turn out to A ^ B ^ C, again not what we want. For that we need to use the advanced syntax for PAM:
[success=ok default=ignore] A [success=ok default=ignore] B required C
In this case what would happen is (although the case as we presented it, would never allow C to authenticate by itself, call it a side effect module)
A B C Result 0 0 0 Failure 0 0 1 Success 0 1 0 Failure 0 1 1 Success 1 0 0 Failure 1 0 1 Success 1 1 0 Failure 1 1 1 Success
And here comes the real pam.conf entry in
auth [success=ok default=ignore] pam_ldap.so auth [success=ok default=ignore] pam_sentry.so localhost 6666 auth sufficient pam_unix2.so
or with the new version of pam
auth [success=ok new_authtok_reqd=ok default=ignore] pam_ldap.so auth [success=ok new_authtok_reqd=ok default=ignore] pam_sentry.so localhost 6666 auth sufficient pam_unix2.so
