[Date Prev][Date Next] [Chronological] [Thread] [Top]

pam_ldap : adduser and passwd commands



Hello,

after reading archives and online doc, I still haven't found a problem
quite like the one I'm facing :

i'd like to use pam_ldap for authentication and password
storage/management for some users, while other users would remain local
(useful if the network comes to be down ).

The ldap base seems to be configured properly, as a ldap user can login.
A local user is also able to log in.

The problem comes when using the passwd command :

* If /etc/pam.d/passwd is ( debian 2.2 ):
| password   sufficient   pam_ldap.so
| password   required   pam_unix.so nullok obscure min=4 max=8

as a local user :
| 23/03 2:59 local_user@mymachine ~% passwd
| Changing password for henri
| (current) UNIX password: [I enter my passwd]
| Enter login(LDAP) password:

I have to type ^D to be prompted :
| Enter new UNIX password:
which if of course the one I'm trying to change.

as a ldap  users :
| 22/03 18:09 ldap_user@mymachine ~% passwd
| Enter login(LDAP) password: [I enter my passwd]
| New password:

which is ok, except that I if then type ^D (for example, if I don't want
to change my password any more), I am prompted :
| Enter new UNIX password:
which I don't want.

Okay, if I only answer to meaningfull questions (ldap passwd for ldap
user and Unix passwd for local user) it works. It even does nothing
wrong if I answer to stupid questions ( as unix passwd for ldap user ),
but I'd like somethgin really clean.

I tried with 'use_first_pass' or 'try_first_pass' on either 2 lines of
/etc/pam.d/passwd but it makes things worse (at least on of the user
cannot change his password any more).

I also tried using pam_pwdb as many examples do, but it changes nothing,
which seems quite logical.

I haven't found how to do what I want : ldap users only prompted for
their new ldap passwd an local users prompted for their new unix passwd.

Moreover, adduser will add local users, and I can't figure out how to
tell it whether to creat local or ldap users.

Thanks in advance,
-- 
Henri Fallon