[WBEL-users] xscreensaver/LDAP problem

Jim Buchanan bz73lg at eng.delcoelect.com
Thu Jan 27 13:20:06 CST 2005 

On Thu, Jan 27, 2005 at 12:01:05PM -0600, Kirby C. Bohling wrote:
> On Thu, Jan 27, 2005 at 09:19:02AM -0500, Jim Buchanan wrote:
> > Using the man pages and Google, we got everything to accept LDAP
> > authentication through PAM except xscreensaver.
> > 
> > Some info/example files:
> > 
> > authconfig command used:
> > 
> > authconfig --disablemd5 --disableshadow --enablenis --nisdomain=<our NIS domain> --enableldaptls --enableldapauth --ldapserver="<our ldap servers>" --kickstart
> 
> I've gotten this to work no problem if you enable shadow and md5sum,
> and disable nis.   Do you actually have an /etc/shadow and
> /etc/passwd file?  

At first I didn't have a shadow file, none of the machines do, however
"authconfig --enableshdow" took care of that by creating and
populating a shadow file and removing the passwords from passwd.

I enabled shadow (obviously, from above), and enabled md5. No good, the
behavior did not change.

I tried disabling NIS, I expected this to keep me from unlocking the
screensaver, but it also killed all logins, prevented the automounter
from working, a real mess. I already had a root window open on another
machine, and re-enabling NIS got everything working well. I didn't
expect that behavior, as the machine is allowing logins with the LDAP
password.

> I wonder if xscreensaver is looking for a file
> and failing because you lack it.  It might be instructional to run
> "xscreensaver" as root via strace 

This causes the screensaver to lock up on me halfway through the
fade-out, it has to be killed to unlock the screen.

> (or with an LD_PRELOAD that will
> print out all the files it attempts to open).  That or just read the
> code.

While looking through the code I noticed that there was a verbose
option for xscreensaver. I tried that and found that
pam_authenticate() in the pam_passwd_valid_p() function (in the
passwd-pam.c file) is failing to authenticate the user. This same
function is authenticating the user when the NIS password is used.

> can come to is that xscreensaver is dying during the authentication
> process because your setup is something it really didn't expect.

I'm suspecting you're right.

BTW, here's the /etc/pam.d/xscreensaver file I used in the above test:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

This is the file installed when compiling and installing xscreensaver
from the generic source.

If anyone else has any ideas, I'd love to see them, but don't think
I'm ignoring you, I'm about to leave on a 3 day weekend.

-- 
Jim Buchanan                                   bz73lg at eng.delcoelect.com
========================================================================
"C++ is like movie music, of titanic proportions, yet still culturally
 derivative by and large. Especially large." -Larry Wall
========================================================================

More information about the Whitebox-users mailing list