[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Filter to AND with uid=%s



Red Hat 7.0 changed to a "stack" system for the /etc/pam.d 
files. These all point to system-auth, which only has pam_unix
and pam_ldap in it.  I did look at the files you suggested and 
they have pam_ldap and pam_unix for auth and then pam_ldap and 
pam_pwdb for password.

I'm curious why going to pam_pwdb would be a bad thing?  Either
one works for LDAP authentication, its just that the pam_pwdb
doesn't get a password for an LDAP account, whereas pam_unix does.

Thanks for the info,
Kelli

-----Original Message-----
From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
Behalf Of Michael A. Dietz
Sent: Friday, October 06, 2000 10:47 AM
To: pam-list@redhat.com
Subject: RE: Filter to AND with uid=%s


I looked at the pam.d/login modules for nss_ldap in redhat 6.2 and redhat
7.0.  They both used a combination of pam_unix and pam_pwdb for
authentication, (in fact the files are the same).  Did you copy (or at
least compare) the files from /usr/share/doc/nss_ldap-113/pam.d to your
/etc/pam.d directory ?

On Fri, 6 Oct 2000, Kelli Wolfe wrote:

> After much caffeine, I have some answers.  Red Hat 7.0
> changed the pam.d config files to use pam_unix rather
> than pam_pwdb, which I had been using.  The pam_unix
> module is making a system call to get a user's password.
> This system call is getting the LDAP passwords via 
> nss_ldap.  So, even though the pam_ldap check fails, the
> pam_unix succeeds because the encrypted password passes
> the pam_unix test.
> 
> So, to resolve this problem, I've gone back to using 
> pam_pwdb, as it appears to look at files directly rather
> than making system calls.

Not sure this is a good thing if you are using ldap for authentication.
 
> Interesting,
> Kelli
> 
> -----Original Message-----
> From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
> Behalf Of Kelli Wolfe
> Sent: Thursday, October 05, 2000 8:37 AM
> To: pam-list@redhat.com
> Subject: Filter to AND with uid=%s
> 
> 
> Hello,
> 
> I thought I had limiting of machine access working, until I
> started encrypting the passwords.  I am using the following
> in my /etc/ldap.conf file on the client machine that I want
> to limit access to:
> 
> # Filter to AND with uid=%s
> pam_filter &(objectclass=account) (host=amitri.iw.mcld.net)
> 
> If the user's password is clear text, I see this test in the
> /var/log/ldap.log as I'm trying to log in:
> 
> Oct  5 08:21:53 avalanche slapd[31216]: conn=809 op=1 SRCH
> base="DC=MCLD,DC=NET" scope=2
> filter="(&(&(objectclass=ACCOUNT)(host=AMITRI.IW.MCLD.NET))(uid=KELLI))"
> 
> If the password is encrypted, I never see this test in the
> log file and the user can log into the box even though
> they're not allowed.  It appears that if the password is
> encrypted, the filter isn't used.  That strikes me as odd.
> 
> Any thoughts would be great!
> Kelli
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
> 

----------------
Running on Linux 2.4
Michael A. Dietz
mad099@dietznet.net



_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []