[lug] pam_ldap and passwd
Hugh Brown
hugh at math.byu.edu
Wed Apr 30 07:20:03 MDT 2003
I've got systems authenticating and able to change passwd's to ldap.
I've noted where pam differs. Also, did you put the Manager bind passwd
in /etc/ldap.secret?
> /etc/pam.d/system-auth
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> auth sufficient /lib/security/pam_ldap.so use_first_pass
> auth required /lib/security/pam_deny.so
>
> account required /lib/security/pam_unix.so
> account [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
>
> password required /lib/security/pam_cracklib.so retry=3 type=
> password sufficient /lib/security/pam_unix.so nullok use_authtok
I have the above line followed by md5 shadow, are the passwords in ldap
crypt'ed or are they in md5 format?
> password sufficient /lib/security/pam_ldap.so use_authtok
> password required /lib/security/pam_deny.so
>
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
> session optional /lib/security/pam_ldap.so
>
> With the above pam configuration passwd prompts me for my current LDAP
> password, which it then tells me is invalid.
Are you sure the system is connecting appropriately to the ldap server?
> If i remove the system-auth
> "password required /lib/security/pam_deny.so" line it fails on my
> current LDAP password 3 times, and then allows me to supply a new
> password which does get updated to LDAP.
>
> Has anyone seen anything like this before? Any suggestions?
I had the problem when I didn't have the passwd for the rootbinddn in
/etc/ldap.secret
Hugh
More information about the LUG
mailing list