Re: [SOLVED] Pam password authentication

[Indexer <indexer@internode.on.net>]

I have solved this issue, unfortunately i don't think i sent it back to the mailing list. It was to do with my combination of required and sufficient, and i lacked pam_deny.so I replaced it with 

auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn 
auth            required        pam_unix.so             no_warn use_first_pass

And this seems to have corrected the behaviour.

On 07/06/2010, at 7:31 PM, Buchan Milne wrote:

> On Saturday, 5 June 2010 22:52:10 Siddhartha Jain wrote:
>> I came across a similar bug where enabling chaining between a master and
>> slave allows invalid passwords to be accepted by pam_ldap. Unfortunately,
>> no word from OpenLDAP or pam_ldap maintainers on the issue.
> 
> Did you file an ITS?
> 
>> I have been
>> looking at pam_ldap source code but haven't been able to pinpoint the
>> issue. In my case, it has something to do with password policy not being
>> handled properly when chaining is enabled. I suggest try tweaking those
>> "pam_password" statements and see if you can deduce anything.
> 
> Well, the first thing would be to be absolutely sure the PAM config is correct, 
> I haven't had time to compare, my PAM config is quite a bit more complex (with 
> pam_ccreds in the mix), but I do have a required pam_deny.so at the end of 
> mine ... (and I can't remember if it is a requirement because of the two 
> "sufficient"'s, or because of the pam_ccreds stuff which follows).
> 
> Regards,
> Buchan