pam or ldap storing sessions with old passwords?

Ido Levy IDOL at il.ibm.com
Thu Apr 10 13:47:55 UTC 2008 

It is a wild guess,
but can you try restart the nscd daemon and see if the problem still
exists.


> Hi,
>
> We're having a bit of a problem here at work and I can't seem to find a
> solution.
>
> Problem is:
> Whenever a user changes password in our ldap he/she is able to login
> with both the old and the new password on some servers, even though
> theres is only one user entry in ldap.
>
> It seems PAM or maybe LDAP stores a session with the old authentication
> so for a unknown amount of time (at least a week or till server reboot)
> the user can login with the old password.
>
> We have a lot of servers and it only seem to be a problem on RedHat
> Fedora 4. I can't reproduce the problem on RH Fedora 8.
>
> The RH4 PAM system-auth looks like this:
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass nodelay
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass debug
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
>
> #session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_ldap.so
>
> Is there anyone who got any idea on why this is happening? It's quite
> the security problem :(
>
> Thanks
> --- Frank Nørvig
> http://www.noervig.dk
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

More information about the Pam-list mailing list