'Re: [pamldap] Where to discuss pam_ccreds (and nss_updatedb) issues?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] Where to discuss pam_ccreds	(and	nss_updatedb)	issues?
From:       Buchan Milne <bgmilne () obsidian ! co ! za>
Date:       2004-12-09 10:22:29
Message-ID: 41B82765.5050100 () obsidian ! co ! za
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

angel bosch wrote:
| the fact is im making my tests on a debian box because i dont like RH,
| but i will have to use it in my work.
| debian pam.d/ is different than debian but also uses a generic auth file
| wich is called from every single auth type.
|
| can't you give some generic clues to make it work?

Not without seeing your pam configuration ... but the example that is
given in the source shows enough of what to do that I don't think I need
to give generic clues.

| is mandatory to apply
| your patch?

Test your own configuration once you have corrected it as below, and see
if users can authenticate with an invalid password while your normal
authentication service is available.

| is the configuration different depending on dist?
|
| this is my /etc/pam.d/common-auth
|
| =========================================================
| auth	sufficient	pam_unix.so nullok
| auth	sufficient  	pam_ldap.so use_first_pass

^^^^^^^^^^^^^^^^
This line is missing some options, and this is teh key to getting it all
to work. You want it to be more like this:

auth        [authinfo_unavail=ignore success=1 default=2] pam_ldap.so
use_first_pass

See the example in the pam.conf file distributed with the source.

| auth	 [default=done]	pam_ccreds.so action=validate use_first_pass
| auth	 [default=done]	pam_ccreds.so action=store
| auth	 [default=done]	pam_ccreds.so action=update
| auth required		pam_deny.so
|
| =========================================================

This is only the auth secction, you may also need some changes to your
account section. Mine looks like this:

account     [user_unknown=ignore default=done] pam_unix.so
account     [authinfo_unavail=ignore default=done] pam_ldap.so
account     required      /lib/security/pam_deny.so

It may also be possible to force an update of the cached password on
password change by also tweaking the password section, but I haven't
tried yet.

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBuCdlrJK6UGDSBKcRAkP5AJ920+1mN2+Bw5bMWZHOtIe6t1Ov7ACeMLZo
dG0owybLKxvZHngXjAkDZxI=
=JyEc
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic