[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] pam_ldap Old Authtoken lost after prelim
From:       jehan.procaccia () int-evry ! Fr
Date:       2001-01-17 9:26:26
[Download RAW message or body]

Mike Warne wrote:
> 
> Hi,
> I have been trying to figure out why I can not change passwords.
> 
> When I type the passwd command.
> I get prompted for the LDAP password.
> After authentication with LDAP, I get prompted for new password, and confirm
> password.
> 
> Then It fails with Permission Denied.
> 
> After tracing the pam_ldap.c code a little, I notice that during the
> preliminary phase, pam_set_item is called for the  PAM_OLDAUTHTOK.
> On the next call to pam_sm_chauthtok,  the call to pam_get_item() for
> PAM_OLDAUTHTOK comes back with curpass set to NULL!
> 
> I am not sure if this is normal or not, but I suspect that this may be why
> the next call to _update_authtok (session, username, curpass, newpass,
> method) appears to fail with a return code of 9.
> 
> Any thoughts or comments on what could be wrong here?
> 
> Thanks,
> Mike Warne
> mwarne@pihana.com

My config might help:

My /etc/pam.d/password file looks like this:

#%PAM-1.0
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so use_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so retry=3 type=LDAP
debug
password   sufficient   /lib/security/pam_ldap.so use_authtok
password   required     /lib/security/pam_pwdb.so try_first_pass md5

and It works fine :-), but only with unix {crypt} not with {md5}
password !?

pam_cracklib.so prompt for a new password (check the strength of the
password), then control is passes to pam_ldap.so which uses the password
just type ( thanks to use_authtok option) and that is "sufficient" I
guess !.

-- 
Jehan Procaccia
Institut National des Telecommunications| Email :
Jehan.Procaccia@int-evry.fr 
9 rue Charles Fourier			| Tel   : +33 (0) 160764436 
91011 Evry   France			| Fax   : +33 (0) 160764321

[prev in list] [next in list] [prev in thread] [next in thread]