Re: rootpwmoddn/rootpwmodpw testing
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: rootpwmoddn/rootpwmodpw testing
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: rootpwmoddn/rootpwmodpw testing
- Date: Fri, 03 Dec 2010 17:21:21 +0100
On Fri, 2010-12-03 at 09:06 -0600, Kollar, Thaddeus J. (GRC-V000)[DB
Consulting Group, Inc.] wrote:
> I was trying out the rootpwmoddn/rootpwmodpw implementation in r1316
> and ran into two issues that prevented it from working as intended.
> The first was that nslcd_pam_authc() in nslcd/pam.c would always write
> a failure code for authc/authz in its response even if try_bind()
> succeeded. The fix for that is easy:
[...]
Thanks for the patch. I've committed it (r1317) to the repository.
> The other issue is that, because try_bind() uses lookup_dn2uid(), the
> LDAP admin entry has to belong to the posixAccount object class or
> lookup_dn2uid() will return null (since there is no uid) and
> try_bind() will fail. My admin entry didn't use posixAccount, and I
> suspect many others' won't either... the workaround is easy, just add
> and populate posixAccount for admin. But that's not really desirable
> since it creates an unnecessary Unix account. The better solution is
> probably to add some logic to try_bind() that, when lookup_dn2uid()
> returns null but rc == LDAP_SUCCESS, tests for this case before
> returning failure.
I've committed a fix for this (r1318). Instead of doing lookup_dn2uid()
it now only does a simple search without applying the passwd filter (the
search was only there to test whether the binding was successful).
Thanks for your feedback and thanks for the testing.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
