'[pamldap] Strange behaviour when changing password through "passwd".'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] Strange behaviour when changing password through "passwd".
From:       Fred Clausen <fred.clausen () xinitsystems ! com>
Date:       2003-08-22 16:22:17
[Download RAW message or body]

Hi All,

First my versions:

OS: Red Hat 9
pam_ldap: 153
nss_ldap: 202

Again, thanks to Michael Haverkamp for helping me earlier. Everything is
working but changing passwords with "passwd" exhibits a strange quirk. I
am currently using the "uri ldaps://myserver.mydomain.com" method of
specifying the ldap server. However, if I only specify the uri method
then password changes will not work. passwd does:

Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: User not known to the underlying authentication module

In the logs (/var/log/messages) there is:

Aug 22 16:55:19 host1 PAM_pwdb[6700]: cannot identify user testuser
(uid=0)

If I specify the "host" and "port" (in my case 636, it still works with
port left off but presumably not via SSL) then it works but asks for the
password twice, like so:

Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
New password:
Re-enter new password:
LDAP password information changed for testuser
passwd: all authentication tokens updated successfully.

It asks me four times to change the passwords. "testuser" is not a local
user and does not exist in passwd and shadow. 

Here are the relevant pam files:

/etc/pam.d/sshd:

#%PAM-1.0
auth       required     /lib/security/pam_nologin.so
auth       sufficient    /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ \
umask=0022
session    required     /lib/security/pam_unix_session.so

/etc/pam.d/passwd:

#%PAM-1.0
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so use_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so try_first_pass

Here is /etc/ldap.conf:

uri ldaps://ldap1.mydomain.com
base ou=corp,dc=mydomain,dc=com
port 636
host ldap1.mydomain.com
ldap_version 3
rootbinddn cn=admin,dc=mydomain,dc=com
pam_password md5
scope sub


I might also add that under Red Hat there is another file,
/etc/openldap/ldap.conf and it contains:

HOST ldap1.mydomain.com
BASE ou=corp,dc=mydomain,dc=com

I am not sure why it is there and what Red Hat's policy was when they
put it there. I ran "authconfig" at the start to make the initial files
which I have since customised.

If anyone can shed some light onto this matter, I would be much obliged.

Kind regards, 

Fred Clausen.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic