From owner-freebsd-ports@FreeBSD.ORG Sun Aug 28 16:29:57 2005 Return-Path: X-Original-To: ports@freebsd.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E90516A41F for ; Sun, 28 Aug 2005 16:29:57 +0000 (GMT) (envelope-from adampordzik@gmx.de) Received: from webmail.hansenet.de (mail02.hansenet.de [213.191.73.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E2FF43EC8 for ; Sun, 28 Aug 2005 16:29:56 +0000 (GMT) (envelope-from adampordzik@gmx.de) Received: from [10.12.0.41] (213.39.221.36) by webmail.hansenet.de (7.2.059) (authenticated as mbox-ap@d-dt.de) id 42EEDD430034210F; Sun, 28 Aug 2005 18:29:55 +0200 Message-ID: <4311E680.3000903@gmx.de> Date: Sun, 28 Aug 2005 18:29:52 +0200 From: Adam Pordzik User-Agent: Mozilla Thunderbird 1.0.5 (Windows/20050711) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Konstantin Saurbier References: <20050826121256.GB19571@math.uni-bielefeld.de> <4310E78B.8000209@gmx.de> <20050828141155.GA30926@math.uni-bielefeld.de> In-Reply-To: <20050828141155.GA30926@math.uni-bielefeld.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ports@freebsd.org Subject: Re: security/pam_ldap - update to version 1.8.0 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2005 16:29:57 -0000 Konstantin Saurbier wrote: >> >> This bug issues only enries of "passwordPolicy" Class, so it's >> not very wicked. > > I know, but theres no reason not to fix the port :-) Yes, but this fix neither really fix it. ;-) It might "prevents" users from login already if in PasswordPolicyRespose returns a warning that it's password only is about to expire. >> Since pam_unix.so grants access to everybody in account stage, pam_ldap >> should be made "required" here, if you want PAM more than just _saying_ >> "Access denied for this host". Hence a line Perhaps pam_unix should be revised? > Good point. I fixed the patch, it's attached and can also be found at > http://www.math.uni-bielefeld.de/~saurbier/patches/pam_ldap.patch Annot.: I olny tested it agains account with host-attribute set. Does anyone tested it whether it works with some of the shadow attribues like shadowExpire e.g.? > +auth sufficient pam_ldap.so no_warn try_first_pass > +account required pam_ldap.so ignore_unknown_user ignore_authinfo_unavail > +session optional pam_ldap.so > ================================================================================ with password sufficient pam_ldap.so use_first_pass and a similar patch agains /usr/src/usr.bin/passwd/passwd.c one can also allow users changing thier password with passwd(1) %diff -u passwd.c.orig passwd.c --- /usr/src/usr.bin/passwd/passwd.c.orig Mon May 24 19:41:40 2004 +++ /usr/src/usr.bin/passwd/passwd.c Tue Aug 31 18:03:00 2004 @@ -121,8 +121,7 @@ break; default: /* XXX: Green men ought to be supported via PAM. */ - errx(1, - "Sorry, `passwd' can only change passwords for local or NIS users."); + fprintf(stderr, "Now you can change LDAP passwords via PAM\n"); } Of course to allow also root/administrators changing users passwords it needs an apropriate "rootbinddn ..." in ldap.conf. But I have to check that again, because chsh for LDAP accounts here creates a local account instead of modifying the directory. A --