pam_passwdqc ldap problems
Adams, Chris M, CTR,, DMDCWEST
Adamscm at osd.pentagon.mil
Tue Aug 24 23:29:23 UTC 2004
> You should have stacked pam_passwdqc after pam_dhkeys, not before.
> And there should be no need for "ask_oldauthtok=update
> check_oldauthtok" on your recent/patched Solaris 8 (it's almost
> Solaris 9 in fact).
Thanks for the info, although changing the order there didn't fix the
problem. When I took out the ask_oldauthtok=update check_oldauthtok, it
went back to failing at the very end. When I put them back in, it works
just like before, even with the order swapped. I don't think the ordering
should matter in this case since pam_dhkeys is used for diffie-hellman keys
and secure rpc, which we aren't using.
I had tried both scenarios listed in PLATFORMS, and since I have patch
108993-33, I originally commented out pam_authtok_get and pam_authtok_check,
but had to use the ask_oldauthtok=update check_oldauthtok options to get it
to work, so it's sort of a kludge of both scenarios.
We don't use pam_ldap, so I don't know what other modules to check.
I also tried using either of ask_oldauthtok=update check_oldauthtok only,
but that didn't work either.
LDAP passwords update just fine when the user enters their current password
twice, which makes me wonder if it has something to do with how
pam_authtok_store gets the token from the preceding module?
> Also, I'm not sure what you're trying to achieve with "match=0
> similar=deny"? (This is not related to the problem at hand, but
> simply looks weird to me.)
>
I'm not sure what I was trying to go for here either now. I definitely
wanted the similar=deny, but I don't know why I disabled the substring
search.
Thanks again for the help.
Chris
More information about the Pam-list
mailing list