[tac_plus] Re: Installing tac_plus as a different user other than root??

[adam]

Andy Saykao wrote:
> Hi Adam,
> 
> I've read your post on getting PAM working under RHEL but have a few 
> more questions about it.
> 
> http://www.shrubbery.net/pipermail/tac_plus/2009-May/000435.html
> 
> For those on Ubuntu I had to install libpam0g-dev first and ./configure 
> again so PAM was detected.
> 
> # apt-get install libpam0g-dev
> 
> 1/ How does the tac_plus daemon know to look for the PAM authentication 
> in /etc/pam.d/tac_plus. I created the tac_plus file but I notice that 
> when I deleted it and restarted the tac_plus daemon, PAM auth still 
> works with or without it. Not sure if the PAM auth just defaults to 
> using the common-* files in /etc/pam.d/ if it doesn't find the tac_plus 
> file in there.

tac_plus just make a C library call to pam_authenticate. For RHEL, this 
required a tac_plus file in pam.d This may not be the case for ubuntu.

> 
> 2/ The tac_plus user guide says that PAM doesn't work if the tac_plus 
> daemon is started as a non-root user (which is how I am running the 
> daemon). So once again to get around this I had to configure the daemon 
> to use the shadow GID.

poop. I should have read and known about that. You could make the jump 
and go straight to your LDAP solution. Sorry if that caused you to waste 
your time :(

> "Be aware that when the tac_plus daemon runs as a non-root user (as is the
> default in FreeBSD /usr/ports), it will not be able to authenticate using
> the pam_unix.so module.  This is because the system function getpwnam()
> called by pam_unix.so requires root privileges to retrieve the password to
> validate from the /etc/master.passwd or /etc/shadow file. The symptom will
> be that for each authentiction that is attempted, the password will appear
> to be wrong whether it was typed correctly or not."


> 
> Cheers.
> 
> Andy