Date: Sun, 28 Aug 2005 18:29:52 +0200 From: Adam Pordzik <adampordzik@gmx.de> To: Konstantin Saurbier <saurbier@math.uni-bielefeld.de> Cc: ports@freebsd.org Subject: Re: security/pam_ldap - update to version 1.8.0 Message-ID: <4311E680.3000903@gmx.de> In-Reply-To: <20050828141155.GA30926@math.uni-bielefeld.de> References: <20050826121256.GB19571@math.uni-bielefeld.de> <4310E78B.8000209@gmx.de> <20050828141155.GA30926@math.uni-bielefeld.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Konstantin Saurbier wrote: >> >> This bug issues only enries of "passwordPolicy" Class, so it's >> not very wicked. > > I know, but theres no reason not to fix the port :-) Yes, but this fix neither really fix it. ;-) It might "prevents" users from login already if in PasswordPolicyRespose returns a warning that it's password only is about to expire. >> Since pam_unix.so grants access to everybody in account stage, pam_ldap >> should be made "required" here, if you want PAM more than just _saying_ >> "Access denied for this host". Hence a line Perhaps pam_unix should be revised? > Good point. I fixed the patch, it's attached and can also be found at > http://www.math.uni-bielefeld.de/~saurbier/patches/pam_ldap.patch Annot.: I olny tested it agains account with host-attribute set. Does anyone tested it whether it works with some of the shadow attribues like shadowExpire e.g.? > +auth sufficient pam_ldap.so no_warn try_first_pass > +account required pam_ldap.so ignore_unknown_user ignore_authinfo_unavail > +session optional pam_ldap.so > ================================================================================ with password sufficient pam_ldap.so use_first_pass and a similar patch agains /usr/src/usr.bin/passwd/passwd.c one can also allow users changing thier password with passwd(1) %diff -u passwd.c.orig passwd.c --- /usr/src/usr.bin/passwd/passwd.c.orig Mon May 24 19:41:40 2004 +++ /usr/src/usr.bin/passwd/passwd.c Tue Aug 31 18:03:00 2004 @@ -121,8 +121,7 @@ break; default: /* XXX: Green men ought to be supported via PAM. */ - errx(1, - "Sorry, `passwd' can only change passwords for local or NIS users."); + fprintf(stderr, "Now you can change LDAP passwords via PAM\n"); } Of course to allow also root/administrators changing users passwords it needs an apropriate "rootbinddn ..." in ldap.conf. But I have to check that again, because chsh for LDAP accounts here creates a local account instead of modifying the directory. A --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4311E680.3000903>