[lug] pam_ldap and passwd

Hugh Brown hugh at math.byu.edu
Wed Apr 30 07:20:03 MDT 2003


I've got systems authenticating and able to change passwd's to ldap. 
I've noted where pam differs.  Also, did you put the Manager bind passwd
in /etc/ldap.secret?


> /etc/pam.d/system-auth
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_ldap.so use_first_pass
> auth        required      /lib/security/pam_deny.so
> 
> account     required      /lib/security/pam_unix.so
> account     [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
>  
> password    required      /lib/security/pam_cracklib.so retry=3 type=
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok


I have the above line followed by md5 shadow, are the passwords in ldap
crypt'ed or are they in md5 format?


> password    sufficient    /lib/security/pam_ldap.so use_authtok
> password    required      /lib/security/pam_deny.so
> 
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_ldap.so
> 
> With the above pam configuration passwd prompts me for my current LDAP
> password, which it then tells me is invalid. 

Are you sure the system is connecting appropriately to the ldap server?


>  If i remove the system-auth
> "password    required      /lib/security/pam_deny.so" line it fails on my
> current LDAP password 3 times, and then allows me to supply a new
> password which does get updated to LDAP.
> 
> Has anyone seen anything like this before?  Any suggestions?

I had the problem when I didn't have the passwd for the rootbinddn in
/etc/ldap.secret

Hugh





More information about the LUG mailing list