Closed b0ric closed 10 years ago
I reversed the logic in 6-4-pam
branch. Though I don't know why does this work or doesn't in our system. Might be that there is bug in some other place. Need to debug.
Does your machine provide correct information with command getent passwd <username>
. Our /etc/passwd dosn't contain that information, but we have nss_cache
or something like that.
Apparently Etc.getpwnam(uid)
works in our environment (used by omniauth-pam
).
Also. Thank you for submitting these issues. I'm sorry hat I haven't noticed them earlier...
Yep, I see, 6-4-pam is correct now, thanx!
getent passwd <username>
do not provide any information on my machine. nss_cache
seems like a good solution but I don't have LDAP set up - only Kerberos accounts so far.
Actually I run Gitlab on machine where all this information exists and Etc.getpwnam(uid)
works correctly there. I just bumped into this issue while developing another web application that is on another server. That's why I thought it was worth reporting.
Also, I guess it's safe to close this issue, right?
Yep. Thanks for the clarifications. I try to keep that (testing with getent passwd
) in mind if/when I ever write documentation how to use pam.
Hi raphendyr! Thanks for you patch to gitlab so that everybody is able to use PAM auth with gitlab! And I found one issue with recent 6-3-pam branch. When I work with git (push/pull/etc..), gitlab-shell issues api requests to check whether this user can access repository or not. Smth. like: /api/v3/internal/allowed?key_id=22&action=git-receive-pack&ref=_any&project=proj/proj Handler of this request will call Gitlab::PAM::User.blocked?(user.extern_uid) to check whether user is blocked or not:
and, I guess it should be vice versa:
and another catch is that PAM info is not always available. E.g. I have one server where PAM auth is enabled through Kerberos plugin: libpam-krb5. So in this case there will be no info available in /etc/passwd file. So my guess is that it's better simply to remove begin/rescue block. What do you think?