[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: [pamldap] still trying passwd change with pam_ldap
From: jehan.procaccia () int-evry ! Fr
Date: 2001-01-12 15:12:16
[Download RAW message or body]
I am still trying to use /usr/bin/passwd to change ldap userPassword
attribute.
I use openldap 2.0.7 and pam_ldap-98
Using "pam_password crypt" in pam_ldap /etc/ldap.conf works right :-)
howerver using "pam_password md5" is half-way working ! :-(
By half-way, I mean that I can change the password, then logout, telnet
again and beeing authentificated with the new password just changed.
However if I try to change it again with /usr/bin/passwd I am not
authentificated !? :
$ passwd
Enter login(LDAP) password:
LDAP Password incorrect: try again
/var/log/messages says:
Jan 12 14:18:20 gigatux passwd[32579]: pam_ldap: error trying to bind as
user
"uid=test,ou=administratif,ou=personnel,ou=personnes,dc=int-evry,dc=fr"
(Invalid credentials)
I can only change back the password using ldappasswd (so bypassing
pam_ldap)
having "password-hash {md5}" in slapd.conf it result in something like
this in ldap directory with ldap graphic browser GQ:
userPassword {MD5}ffeKtngHiDAvJfmQoh4hJA==
ldapsearch retunrs:
userPassword:: e01ENX1mZmVLdG5nSGlEQXZKZm1Rb2g0aEpBPT0=
now when I change it again with /usr/bin/passwd (because now I am
authentificated) I have:
userPassword {crypt}$1$SfBKaZk0$kmBakMUGlcoym6BKSg6Lf1
ldapseach returns:
userPassword:: e2NyeXB0fSQxJFNmQkthWmswJGttQmFrTVVHbGNveW02QktTZzZMZjE=
but again if I want to change it with /usr/bin/passwd I return to the
problem described above (invalid credential !), it looks like pam_ldap
/usr/bin/passwd cannot compare with an entry looking like this:
{crypt}$1$SfBKaZk0$kmBakMUGlcoym6BKSg6Lf1
Howerver I can't still logout and login again with that new password !.
So login works (auth type module I gess), but passwd doesn't (auth type
module again ?).
/etc/ldap.conf :
pam_password md5
/etc/pam.d/passwd:
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so md5
auth required /lib/security/pam_unix_auth.so use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_warn.so
password required /lib/security/pam_cracklib.so retry=3
type=LDAP/UNIX debug
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_pwdb.so try_first_pass md5
/etc/pam.d/login
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_unix_auth.so shadow audit
auth required /lib/security/pam_ldap.so use_first_pass debug
account required /lib/security/pam_time.so
account required /lib/security/pam_unix_acct.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_unix_auth.so shadow md5
use_authtok audit
password required /lib/security/pam_ldap.so use_first_pass debug
session sufficient /lib/security/pam_unix_session.so
session required /lib/security/pam_ldap.so debug
session optional /lib/security/pam_console.so
I am getting mad about this. Has anyone succeed using md5 pam_ldap
userPassword change ?
Where is the problem: pam.d/passwd, ldap.conf ?
How comes for the same password and same scheme (md5) I get so different
strings depending on the tools I use to change/show it
ldappasswd: {MD5}ffeKtngHiDAvJfmQoh4hJA==
ldapsearch: e01ENX1mZmVLdG5nSGlEQXZKZm1Rb2g0aEpBPT0=
pam_ldap passwd: {crypt}$1$SfBKaZk0$kmBakMUGlcoym6BKSg6Lf1
ldapsearch: e2NyeXB0fSQxJFNmQkthWmswJGttQmFrTVVHbGNveW02QktTZzZMZjE=
Thanks.
--
Jehan Procaccia
Institut National des Telecommunications| Email :
Jehan.Procaccia@int-evry.fr
9 rue Charles Fourier | Tel : +33 (0) 160764436
91011 Evry France | Fax : +33 (0) 160764321
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic