[prev in list] [next in list] [prev in thread] [next in thread]
List: nssldap
Subject: RE: [nssldap] Solaris 2.6 - Cannot change passwords.
From: Paul Clayton <paul.clayton () intec ! co ! za>
Date: 2002-09-09 7:22:59
[Download RAW message or body]
Guys,
What I found was that configuring the nsswitch.conf file to passwd: files
ldap
caused the message below, and seemed some how related to problem. I narrowed
this down by playing with pam.conf, down to putting it back to the original
format without any pointers to the ldap. This narrowed it down to nsswitch.
So now my questions is which way do I go.
Would it be better looing at a NIS/LDAP gateway.
cheers
-----Original Message-----
From: David Bussenschutt [mailto:d.bussenschutt@mailbox.gu.edu.au]
Sent: Monday, September 09, 2002 3:07 AM
To: Jim Harle
Cc: 'nssldap@padl.com'; owner-nssldap@padl.com; 'pamldap@padl.com'; Paul
Clayton
Subject: Re: [nssldap] Solaris 2.6 - Cannot change passwords.
Hi All,
We found that the solaris (2.6 at least) 'passwd' command
truncates all passwords to 8 characters BEFORE passing any of the
information to the pam_XXX systems (including the old and new passwords
that are entered). Any time either password is more than 8 characters,
the password change fails because of the truncation, and obviously when
they are both 8 chars or less (and the other rules you've defined in
/etc/passwd and e-directory regarding minimum password length are still
OK), then the change works OK.
One of my co-workers worked this out by using a sniffer, and looking at
the packets flying....
Having seen the email below..I guess they've probably fixed this in
Solaris 9.
David.
--------------------------------------------------------------------
David Bussenschutt Email: D.Bussenschutt@mailbox.gu.edu.au
Senior Computing Support Officer & Systems Administrator/Programmer
RedHat Certified Engineer.
Member of Systems Administrators Guild of Australia.
Location: Griffith University. Information Technology Services
Brisbane Qld. Aust. (TEN bldg. rm 1.33) Ph: (07)38757079
--------------------------------------------------------------------
I found that the Solaris passwd command didn't work properly with nss_ldap
/
pam_ldap until Solaris 9. We use NDS eDirectory for LDAP and its password
changing methodology is slightly different than others, so I'm not sure if
it
was primarily a Saolais issue with earlier versions, but right now I have
Solaris 9 boxes on which it works and Solaris 8 boxes on which it fails.
--Jim Harle
On Fri, 6 Sep 2002, Paul Clayton wrote:
> Heres a good one.
>
> After much struggling I got nss_ldap-201 compiled with netscape 4
libraries.
> Complimenting that I got pam_ldap-151 built also on netscape 4 libraries
and
> implemented on Solaris 2.6
>
> I modified the pam.conf and nsswitch.conf file. As such below. I have
tried
> various configurations of the last two lines of the pam.conf file, with
no
> success.
> This what I get when trying to change a local account password. when
> attempting to change a password of a LDAP user, I get the request for
the
> LDAP password, enter it and then nothing else happens.
> Any clues here. It looks like the issue is around name switch service.
This
> could be a Solaris issue.
>
----------------------------------------------------------------------------
> ----------------------------------------------
>
> guinness # passwd
> passwd: Changing password for root
> Supported configurations for passwd management are as follows:
> passwd: files
> passwd: files nis
> passwd: files nisplus
> passwd: compat
> passwd: compat AND
> passwd_compat: nisplus
> Please check your /etc/nsswitch.conf file
> Permission denied
>
----------------------------------------------------------------------------
> ----------------------------------------------
>
> /etc/nsswitch.conf
>
----------------------------------------------------------------------------
> ----------------------------------------------
> passwd: files ldap
> group: files ldap
>
----------------------------------------------------------------------------
> ----------------------------------------------
>
> /etc/pam.conf
>
----------------------------------------------------------------------------
> ----------------------------------------------
> login auth sufficient /usr/lib/security/pam_ldap.so.1
> login auth sufficient /usr/lib/security/pam_unix.so.1 use_first_pass
>
> rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
> rlogin auth sufficient /usr/lib/security/pam_ldap.so.1
> rlogin auth sufficient /usr/lib/security/pam_unix.so.1
>
> dtlogin auth sufficient /usr/lib/security/pam_ldap.so.1
> dtlogin auth sufficient /usr/lib/security/pam_unix.so.1
>
> rsh auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
> other auth sufficient /usr/lib/security/pam_ldap.so.1
> other auth sufficient /usr/lib/security/pam_unix.so.1 use_first_pass
> #
> # Account management
> #
> login account sufficient /usr/lib/security/pam_ldap.so.1
> login account sufficient /usr/lib/security/pam_unix.so.1
use_first_pass
> dtlogin account sufficient /usr/lib/security/pam_ldap.so.1
> dtlogin account sufficient /usr/lib/security/pam_unix.so.1
> other account sufficient /usr/lib/security/pam_ldap.so.1
> other account sufficient /usr/lib/security/pam_unix.so.1
use_first_pass
> #
> # Session management, not implemented by pam_ldap
> #
> other session sufficient /usr/lib/security/pam_unix.so.1
> #
> # Password management
> #
> other password sufficient /usr/lib/security/pam_unix.so.1
use_first_pass
> other password sufficient /usr/lib/security/pam_ldap.so.1
>
>
>
>
>
>
> Regards
>
> Unix like TeePee no windows, no gates, Apache inside.
> Paul Clayton
> Intec Telecom Systems
> Ph +27 (0) 21 4309000
> Fax +27 (0) 21 4309025
> Mobile +27(0) 832853403
>
>
*******************************************************************************************
<http://www.intec-telecom-systems.com/>
This e-mail and any attachments are confidential and may also be privileged
and/or copyright material of Independent Technology Systems Limited
(or its affiliated companies). If you are not the intended or authorised recipient
of this email or have received it in error, please delete it immediately and
notify the sender by e-mail. In such a case reading, reproducing, printing or
further dissemination of this e-mail is strictly prohibited and may be unlawful.
Independent Technology Systems Limited does not represent or warrant that
an attachment hereto is free from computer viruses or other defects.
The opinions expressed in this e-mail and any of the attachments may
be those of the author and are not necessarily those of Independent
Technology Systems Limited.
******************************************************************************************
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic