[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Pam password authentication

To: openldap-technical@openldap.org
Subject: Re: Pam password authentication
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 7 Jun 2010 11:01:50 +0100
Cc: Siddhartha Jain <sjain@silverspringnet.com>
In-reply-to: <C830151A.209D%sjain@silverspringnet.com>
References: <C830151A.209D%sjain@silverspringnet.com>
User-agent: KMail/1.12.4 (Linux/2.6.31.13-desktop-1mnb; KDE/4.3.5; x86_64; ; )

On Saturday, 5 June 2010 22:52:10 Siddhartha Jain wrote:
> I came across a similar bug where enabling chaining between a master and
>  slave allows invalid passwords to be accepted by pam_ldap. Unfortunately,
>  no word from OpenLDAP or pam_ldap maintainers on the issue.

Did you file an ITS?

>  I have been
>  looking at pam_ldap source code but haven't been able to pinpoint the
>  issue. In my case, it has something to do with password policy not being
>  handled properly when chaining is enabled. I suggest try tweaking those
>  "pam_password" statements and see if you can deduce anything.

Well, the first thing would be to be absolutely sure the PAM config is correct, 
I haven't had time to compare, my PAM config is quite a bit more complex (with 
pam_ccreds in the mix), but I do have a required pam_deny.so at the end of 
mine ... (and I can't remember if it is a requirement because of the two 
"sufficient"'s, or because of the pam_ccreds stuff which follows).

Regards,
Buchan

Follow-Ups:
- Re: [SOLVED] Pam password authentication
  - From: Indexer <indexer@internode.on.net>

References:
- Re: Pam password authentication
  - From: Siddhartha Jain <sjain@silverspringnet.com>

Prev by Date: Re: smbk5pwd: ldappassword hangs
Next by Date: Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]
Index(es):
- Chronological
- Thread