[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap : adduser and passwd commands



On Fri, 23 Mar 2001, Henri Fallon wrote:

> The problem comes when using the passwd command :
> 
> * If /etc/pam.d/passwd is ( debian 2.2 ):
> | password   sufficient   pam_ldap.so
> | password   required   pam_unix.so nullok obscure min=4 max=8

I never got password changing going correctly (using Debian 2.2, as well). 
Switched to Kerberos for passwords in the end (a whole different set of
problems <g>).

Typically the way LDAP passwords is changed is via a special version of
passwd which does it properly.  There's one in the PADL migration kit I
think.

If you've got a mix of users, a bit of Perl will set you straight - test
whether the user is in LDAP, if they are then run the LDAP password change,
otherwise the local one.

Basically, AFAICT, PAM has problems beyond the dreams of avarice - and the
lack of useful examples for making it work doesn't help.  In the end you
still use a bunch of method-specific tools, and PAM just increases the
frustration factor when something doesn't work.

> Moreover, adduser will add local users, and I can't figure out how to
> tell it whether to creat local or ldap users.

The Debian adduser script needs extensive hacking to make it work with LDAP. 
Debian is not an LDAP-friendly distro, although it is a hacker friendly
distro, which does help.

I've hacked our local adduser quite a bit to provide support for LDAP users,
but it's LDAP-only - although the original commands are there commented out. 
I'll send a copy if you want it, but it'll need lots of work to make it
useful outside of our system (lots of hardcoded values, for instance).  Hey,
it was a quick hack to make it work...


-- 
-----------------------------------------------------------------------
#include <disclaimer.h>
Matthew Palmer
mjp16@ieee.uow.edu.au