[lug] pam_ldap and passwd
dan radom
dan at radom.org
Wed Apr 30 07:48:28 MDT 2003
* Hugh Brown (hugh at math.byu.edu) wrote:
> I've got systems authenticating and able to change passwd's to ldap.
> I've noted where pam differs. Also, did you put the Manager bind passwd
> in /etc/ldap.secret?
>
>
> > /etc/pam.d/system-auth
> > auth required /lib/security/pam_env.so
> > auth sufficient /lib/security/pam_unix.so likeauth nullok
> > auth sufficient /lib/security/pam_ldap.so use_first_pass
> > auth required /lib/security/pam_deny.so
> >
> > account required /lib/security/pam_unix.so
> > account [default=bad success=ok user_unknown=ignore
> > service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
> >
> > password required /lib/security/pam_cracklib.so retry=3 type=
> > password sufficient /lib/security/pam_unix.so nullok use_authtok
>
>
> I have the above line followed by md5 shadow, are the passwords in ldap
> crypt'ed or are they in md5 format?
>
> > password sufficient /lib/security/pam_ldap.so use_authtok
> > password required /lib/security/pam_deny.so
> >
> > session required /lib/security/pam_limits.so
> > session required /lib/security/pam_unix.so
> > session optional /lib/security/pam_ldap.so
> >
> > With the above pam configuration passwd prompts me for my current LDAP
> > password, which it then tells me is invalid.
>
> Are you sure the system is connecting appropriately to the ldap server?
>
>
> > If i remove the system-auth
> > "password required /lib/security/pam_deny.so" line it fails on my
> > current LDAP password 3 times, and then allows me to supply a new
> > password which does get updated to LDAP.
> >
> > Has anyone seen anything like this before? Any suggestions?
>
> I had the problem when I didn't have the passwd for the rootbinddn in
> /etc/ldap.secret
>
> Hugh
>
i tried every possible combinations in the pam files. the results varied
quite a bit, and in the end i rolled my own passwd, chsh and chfn using
perl Net::LDAP. They work great.
dan
More information about the LUG
mailing list