Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
On Fri, May 04, 2007 at 06:19:34PM -0400, Roberto C. Sánchez wrote:
> On Fri, May 04, 2007 at 02:49:40PM -0700, Steve Langasek wrote:
> > It means that pam_unix is able to access your shadow hash on behalf of the
> > user, when using root privileges (which is expected and required in the case
> > where you want to support password changes via pam_ldap); and that if
> > pam_unix is listed first in common-auth before pam_ldap, that this is what
> > is going to be done for all logins.
> auth sufficient pam_ldap.so
> auth sufficient pam_unix.so nullok_secure try_first_pass
> So in my case, the shadow hash is not being accessed, correct?
Correct.
> I have "pam_password exop" in both /etc/pam_ldap.conf and
> /etc/libnss-ldap.conf. So, AIUI, the hash is not leaving the server for
> the password change. Correct?
Sounds right, but I don't put passwords in LDAP so I'm not sure.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: