[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap and login



Hi,

This is really a pam or pam_ldap issue, however, and this page might point you in a better direction.

http://www.openldap.org/faq/data/cache/124.html

See below...

Mike Brodbelt wrote:
Hi,

Using OpenLDAP 2.0.23, I've got an LDAP directory set up, and I've
installed pam_ldap and nss_ldap on the machine. I've fiddled with the
PAM config files so that su/login/ftp/ssh/cron/passwd all work as
expected, on information stored in LDAP, but I've got one outstanding
problem.

The local /etc/passwd contains the root user account - this is the way I
want it, so at least root can log in and do stuff if LDAP isn't working.
However, I can't get it working so that root and LDAP users can change
passwords. However I change the /etc/pam.d/passwd file, I can get either
LDAP password changing working, or local, but not both. I want it to
attempt to change the password in LDAP first, and then fall back to
local password changing if the user doesn't exist in LDAP, but it won't
play:-

/etc/pam.d/passwd
=======================================
password sufficient pam_ldap.so
password required   pam_unix.so nullok obscure min=4 max=8 md5
use_first_pass

You are missing "use_authtok".

About the above, I would probably have pam_unix before pam_ldap. What order you have the two (pam_ldap and pam_unix) should be the same for account/auth/password.

It might also be good to specify which Linux distribution and what version you are using next time...

For an user in LDAP, but not in /etc/passwd:-

[fred@nunki fred]$ passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for fred
passwd: password updated successfully

For root:-

[root@nunki pam.d]# passwd
passwd: Authentication information cannot be recovered


Any help would be much appreciated.

Mike.