Re: [nssldap] how disable shadow map
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] how disable shadow map
- From: Buchan Milne <bgmilne [at] mandriva.org>
- To: "Brian J. Murrell" <brian [at] interlinx.bc.ca>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] how disable shadow map
- Date: Fri, 23 Oct 2009 15:26:37 +0100
On Wednesday, 21 October 2009 17:12:09 Brian J. Murrell wrote:
> Hi,
>
> I want to disable the shadow map,
Do you need any shadow functionality? If not, just remove ldap from the shadow
line in /etc/nsswitch.conf .
> and specifically, stop the passwd map
> from returning "x" in the password field.
Don't give nss_ldap access to the userPassword attribute. There is no reason
to expose password hashes ...
> I use kerberos for
> authentication here and thus have no use for shadow, and having the "x"
> in the passwd map without a shadow map screws up pam_unix as it thinks
> that shadow information should be available and kacks when it cannot
> find it.
>
> I noticed from a quick browse of the code:
>
> if (_nss_ldap_oc_check (e, "shadowAccount") == NSS_SUCCESS)
> {
> /* don't include password for shadowAccount */
> if (buflen < 3)
> return NSS_TRYAGAIN;
>
> pw->pw_passwd = buffer;
> strcpy (buffer, "x");
> buffer += 2;
> buflen -= 2;
> }
> else
> {
> stat =
> _nss_ldap_assign_userpassword (e, ATM (LM_PASSWD, userPassword),
> &pw->pw_passwd, &buffer, &buflen);
> if (stat != NSS_SUCCESS)
> return stat;
> }
>
> but given that I have no "nss_map_objectclass shadowAccount ..." lines
> in my /etc/ldap.conf file, I must be running into some default behaviour
> I need to override.
If you need other shadow functionality (e.g. password expiry), use ppolicy
instead. If you need account expiry, I don't know if there are other options.
Regards,
Buchan