[cups] authentication of Linux users against /etc/shadow *and* LDAP

[Matthias Apitz]

Hello,

We encounter Linux systems which do have a file /etc/shadow and CUPS was
compiled to use it, but some of the users do not have an entry there,
and are authenticated on login/ssh against LDAP.

The used C-call to getspnam() does silently hide this fact and the
returned password for users without an entry in /etc/shadow is just '*';
if cups now wants to compare the calculated hash of the password provided
by the user it fails. It took me some moment of debugging to understand
the problem which can simulated with these lines of code:


# grep sisis /etc/passwd /etc/shadow
/etc/passwd:sisis:x:900118:900118:SunRise user:/home/sisis:/bin/bash


#include <shadow.h>

main()
{

    struct spwd *spw;

    spw =  getspnam ("guru");
    endspent();
    printf("guru: %s\n", spw->sp_pwdp);

    spw = getspnam("sisis");
    endspent();
    printf("sisis: %s\n", spw->sp_pwdp);

}

which gives for me 'guru' the hash from /etc/shadow, but for the user 'sisis' only a '*':

guru: $6$SQrGx4fi$Utjdng/IHXm6ar2smqF.sVVCM5qBdeptlcXY4QLNeoMn.ZuszPUD90nyVmCfBn.PaTE5lxsJ3tZxL/cbysOhM/
sisis: *

and so the authentication fails in CUPS for 'sisis' and works for me as 'guru';

Is this a problem in the LDAP?


         matthias
-- 
Matthias Apitz               |  /"\   ASCII Ribbon Campaign:
E-mail: guru at unixarea.de     |  \ /   - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ |   X    - No proprietary attachments
phone: +49-176-38902045      |  / \   - Respect for open standards
                             | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign