[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]

On Fri, May 04, 2007 at 06:19:34PM -0400, Roberto C. Sánchez wrote:
> On Fri, May 04, 2007 at 02:49:40PM -0700, Steve Langasek wrote:

> > It means that pam_unix is able to access your shadow hash on behalf of the
> > user, when using root privileges (which is expected and required in the case
> > where you want to support password changes via pam_ldap); and that if
> > pam_unix is listed first in common-auth before pam_ldap, that this is what
> > is going to be done for all logins.

> auth    sufficient      pam_ldap.so
> auth    sufficient      pam_unix.so nullok_secure try_first_pass

> So in my case, the shadow hash is not being accessed, correct?


> I have "pam_password exop" in both /etc/pam_ldap.conf and
> /etc/libnss-ldap.conf.  So, AIUI, the hash is not leaving the server for
> the password change.  Correct?

Sounds right, but I don't put passwords in LDAP so I'm not sure.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to: