lists.arthurdejong.org
RSS feed

RE: rootpwmoddn/rootpwmodpw testing

[Date Prev][Date Next] [Thread Prev][Thread Next]

RE: rootpwmoddn/rootpwmodpw testing



Thanks for the fast update! I tried r1318 and it works well.

On a related issue, when the password change occurs, shadowLastChange does not 
get updated so if a user's password is expired, the new one remains expired. I 
considered using pam_exec.so to run ldap_modify as a workaround but it's not 
safe. Any chance of adding that functionality to nslcd?

Tad
________________________________________
From: 
nss-pam-ldapd-users-bounces+thaddeus.j.kollar=nasa.gov@lists.arthurdejong.org 
[nss-pam-ldapd-users-bounces+thaddeus.j.kollar=nasa.gov@lists.arthurdejong.org] 
On Behalf Of Arthur de Jong [arthur@arthurdejong.org]
Sent: Friday, December 03, 2010 11:21
To: nss-pam-ldapd-users@lists.arthurdejong.org
Subject: Re: rootpwmoddn/rootpwmodpw testing

On Fri, 2010-12-03 at 09:06 -0600, Kollar, Thaddeus J. (GRC-V000)[DB
Consulting Group, Inc.] wrote:
> I was trying out the rootpwmoddn/rootpwmodpw implementation in r1316
> and ran into two issues that prevented it from working as intended.
> The first was that nslcd_pam_authc() in nslcd/pam.c would always write
> a failure code for authc/authz in its response even if try_bind()
> succeeded. The fix for that is easy:
[...]

Thanks for the patch. I've committed it (r1317) to the repository.

> The other issue is that, because try_bind() uses lookup_dn2uid(), the
> LDAP admin entry has to belong to the posixAccount object class or
> lookup_dn2uid() will return null (since there is no uid) and
> try_bind() will fail. My admin entry didn't use posixAccount, and I
> suspect many others' won't either... the workaround is easy, just add
> and populate posixAccount for admin. But that's not really desirable
> since it creates an unnecessary Unix account. The better solution is
> probably to add some logic to try_bind() that, when lookup_dn2uid()
> returns null but rc == LDAP_SUCCESS, tests for this case before
> returning failure.

I've committed a fix for this (r1318). Instead of doing lookup_dn2uid()
it now only does a simple search without applying the passwd filter (the
search was only there to test whether the binding was successful).

Thanks for your feedback and thanks for the testing.

--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users