| View previous topic :: View next topic |
| Author |
Message |
crouchingturbo
n00b
Joined: 27 Apr 2004
Posts: 11
Location: Rhode Island
|
 Posted: Sun Dec 31, 2006 3:49 pm Post subject: [Solved] OpenLDAP, PAM, and the passwd command |
 |
|
My OpenLDAP setup is almost complete. I setup OpenLDAP and PAM following the (not so great) Gentoo Guide. Currently, users can login and authenticate with their LDAP password. However, when a user runs the "passwd" command, it goes one of two ways:
| Code: | $ passwd
(current) UNIX password: <correct user password here>
New UNIX password: <a new password>
Retype new UNIX password: <a new password>
passwd: password updated successfully |
In this situation, the LDAP password is never updated, but the one in /etc/shadow is updated. The second scenario:
| Code: | $ passwd
(current) UNIX password: <*incorrect* password here>
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information changed for user
passwd: password updated successfully |
In this situation, the LDAP password gets updated, but the one in /etc/shadow is not updated.
I can't figure out how to make the passwd command update both passwords simultaneously.
Here is my /etc/pam.d/system-auth:
| Code: | #%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account required pam_ldap.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so |
If I put "use_first_pass" on the password sufficient pam_ldap.so line, as the Guide recommends, then I can only change my UNIX password, never the LDAP one.
Last edited by crouchingturbo on Mon Jan 01, 2007 11:58 am; edited 2 times in total |
|
| Back to top |
|
 |
crouchingturbo
n00b
Joined: 27 Apr 2004
Posts: 11
Location: Rhode Island
|
| Posted: Mon Jan 01, 2007 11:53 am Post subject: |
|
|
Figured it out... The Gentoo guide is wrong -- it's not "use_first_pass", it's "try_first_pass".
Edit: After more searching, seems like both use_first_pass and try_first_pass are valid options. I have no idea why it wasn't working before, but things are working fine now. Here's my new, not too different, config:
| Code: | #%PAM-1.0
auth required pam_env.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth required pam_deny.so
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass
password requisite pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_ldap.so use_authtok
password sufficient pam_unix.so nullok md5 shadow use_authtok try_first_pass
password required pam_deny.so
session required pam_limits.so
session sufficient pam_ldap.so
session sufficient pam_unix.so try_first_pass
session required pam_deny.so |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
