RSS feed

Re: Support for pam_ldap configuration

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Support for pam_ldap configuration

On Tue, 2012-07-03 at 18:19 -0700, Ted Cheng wrote:
> The idea of checking password_prohibit_msg in pam_sm_authenticate as
> well, specifically for the "passwd" service, is to have a "clean"
> handling of the case, i.e., users will be re-directed immediately,
> e.g,
>  # passwd testuser
>    Please change your password via
>    Permission denied

On Linux, with the code that has just been committed in r1715 works:

$ passwd
Please change your password via
passwd: Authentication token manipulation error
passwd: password unchanged

This only has hooks in pam_sm_chauthtok() because the
pam_sm_authenticate() isn't called when changing passwords. I've made it
so that the stack returns the proper value for unknown users.

> We are more than willing to sync up efforts with you.

Attached is a nslcd.h (and diff with current SVN) that should give an
idea of the changes I have in mind. Any input here is very much

One thing that isn't addressed is the signedness of the numeric values.
This could also be defined. Another is that for FreeBSD it would be very
useful to combine PASSWD and SHADOW. Perhaps this is appropriate for a
new map or some other solution.

I can't see a way to handle this without incompatible changes so I've
update NSLCD_VERSION. I would be interested if anyone can come up with a
nice way of dealing with this in a more compatible way.

Another thing that would be nice is to have some mechanism in place to
make the requests a little more flexible to avoid these kind of upgrade
paths in the future.

> nssov is using nss-pam-ldapd 0.8.3. We'd like to upgrade to the
> version with the pam config features merged in. After that, we can
> sync up the effort and upgrade nssov the same time as nss-pam-ldapd.

Are there any known issues with 0.8.10 (apart from the missing config

-- arthur - - --

Attachment: nslcd.h
Description: Text Data

Attachment: nslcd.h.diff
Description: Text Data

To unsubscribe send an email to or see