On Fri, May 04, 2007 at 04:39:02PM -0700, Steve Langasek wrote: > On Fri, May 04, 2007 at 06:19:34PM -0400, Roberto C. Sánchez wrote: > > On Fri, May 04, 2007 at 02:49:40PM -0700, Steve Langasek wrote: > > > > It means that pam_unix is able to access your shadow hash on behalf of the > > > user, when using root privileges (which is expected and required in the case > > > where you want to support password changes via pam_ldap); and that if > > > pam_unix is listed first in common-auth before pam_ldap, that this is what > > > is going to be done for all logins. > > > auth sufficient pam_ldap.so > > auth sufficient pam_unix.so nullok_secure try_first_pass > > > So in my case, the shadow hash is not being accessed, correct? > > Correct. > > > I have "pam_password exop" in both /etc/pam_ldap.conf and > > /etc/libnss-ldap.conf. So, AIUI, the hash is not leaving the server for > > the password change. Correct? > > Sounds right, but I don't put passwords in LDAP so I'm not sure. > OK. Thanks for the clarification. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature