On Wed, May 09, 2007 at 02:58:06PM +0200, Martin Marcher wrote: > Hello, > > I set up my system to authenticate against ldap, > > id ; getent passwd; getent group # all show the correct information > Do you also have ldap setup in your pam configuration? This is what I have: common-account: account sufficient pam_ldap.so common-auth: auth sufficient pam_ldap.so common-password:password sufficient pam_ldap.so In each case, the line appears just before the corresponding pam_unix.so line. > However when I su to a user and do passwd the following happens: > > $ passwd > passwd: User not known to the underlying authentication module > passwd: password unchanged > > Where do I tell passwd that my accounts are in ldap. (Or what even > bugs me more is that the "pam_password_prohibit_message" arent honored > in the config file, seems I'm missing something) > In order to have the password change work on my systems, I put into /etc/pam_ldap.conf and /etc/libnss-ldap.conf this line: pam_password exop That makes all the hashing occur on the LDAP server. That way, you can store the passwords as MD5, SHA1 or whatever hash you want without worrying if the clients know how to perform that hash. Of course, as you may or may not notice, if the client does not need to know the hashing algorithm: how does it send the password? In the clear. So, you want to setup SSL and allow only ldaps:// access on your network. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature