[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: pam_ldap : adduser and passwd commands
On Fri, 23 Mar 2001, Henri Fallon wrote:
> The problem comes when using the passwd command :
>
> * If /etc/pam.d/passwd is ( debian 2.2 ):
> | password sufficient pam_ldap.so
> | password required pam_unix.so nullok obscure min=4 max=8
I never got password changing going correctly (using Debian 2.2, as well).
Switched to Kerberos for passwords in the end (a whole different set of
problems <g>).
Typically the way LDAP passwords is changed is via a special version of
passwd which does it properly. There's one in the PADL migration kit I
think.
If you've got a mix of users, a bit of Perl will set you straight - test
whether the user is in LDAP, if they are then run the LDAP password change,
otherwise the local one.
Basically, AFAICT, PAM has problems beyond the dreams of avarice - and the
lack of useful examples for making it work doesn't help. In the end you
still use a bunch of method-specific tools, and PAM just increases the
frustration factor when something doesn't work.
> Moreover, adduser will add local users, and I can't figure out how to
> tell it whether to creat local or ldap users.
The Debian adduser script needs extensive hacking to make it work with LDAP.
Debian is not an LDAP-friendly distro, although it is a hacker friendly
distro, which does help.
I've hacked our local adduser quite a bit to provide support for LDAP users,
but it's LDAP-only - although the original commands are there commented out.
I'll send a copy if you want it, but it'll need lots of work to make it
useful outside of our system (lots of hardcoded values, for instance). Hey,
it was a quick hack to make it work...
--
-----------------------------------------------------------------------
#include <disclaimer.h>
Matthew Palmer
mjp16@ieee.uow.edu.au