[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Filter to AND with uid=%s



After much caffeine, I have some answers.  Red Hat 7.0
changed the pam.d config files to use pam_unix rather
than pam_pwdb, which I had been using.  The pam_unix
module is making a system call to get a user's password.
This system call is getting the LDAP passwords via 
nss_ldap.  So, even though the pam_ldap check fails, the
pam_unix succeeds because the encrypted password passes
the pam_unix test.

So, to resolve this problem, I've gone back to using 
pam_pwdb, as it appears to look at files directly rather
than making system calls.

Interesting,
Kelli

-----Original Message-----
From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
Behalf Of Kelli Wolfe
Sent: Thursday, October 05, 2000 8:37 AM
To: pam-list@redhat.com
Subject: Filter to AND with uid=%s


Hello,

I thought I had limiting of machine access working, until I
started encrypting the passwords.  I am using the following
in my /etc/ldap.conf file on the client machine that I want
to limit access to:

# Filter to AND with uid=%s
pam_filter &(objectclass=account) (host=amitri.iw.mcld.net)

If the user's password is clear text, I see this test in the
/var/log/ldap.log as I'm trying to log in:

Oct  5 08:21:53 avalanche slapd[31216]: conn=809 op=1 SRCH
base="DC=MCLD,DC=NET" scope=2
filter="(&(&(objectclass=ACCOUNT)(host=AMITRI.IW.MCLD.NET))(uid=KELLI))"

If the password is encrypted, I never see this test in the
log file and the user can log into the box even though
they're not allowed.  It appears that if the password is
encrypted, the filter isn't used.  That strikes me as odd.

Any thoughts would be great!
Kelli



_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []