Re: Support for pam_ldap configuration
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: Support for pam_ldap configuration
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Ted Cheng <tedcheng [at] symas.com>
- Cc: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>, Howard Chu <hyc [at] symas.com>
- Subject: Re: Support for pam_ldap configuration
- Date: Sun, 08 Jul 2012 12:06:02 +0200
On Tue, 2012-07-03 at 18:19 -0700, Ted Cheng wrote: > The idea of checking password_prohibit_msg in pam_sm_authenticate as > well, specifically for the "passwd" service, is to have a "clean" > handling of the case, i.e., users will be re-directed immediately, > e.g, > > # passwd testuser > Please change your password via www.example.com > Permission denied On Linux, with the code that has just been committed in r1715 works: $ passwd Please change your password via www.example.com passwd: Authentication token manipulation error passwd: password unchanged This only has hooks in pam_sm_chauthtok() because the pam_sm_authenticate() isn't called when changing passwords. I've made it so that the stack returns the proper value for unknown users. > We are more than willing to sync up efforts with you. Attached is a nslcd.h (and diff with current SVN) that should give an idea of the changes I have in mind. Any input here is very much appreciated. One thing that isn't addressed is the signedness of the numeric values. This could also be defined. Another is that for FreeBSD it would be very useful to combine PASSWD and SHADOW. Perhaps this is appropriate for a new map or some other solution. I can't see a way to handle this without incompatible changes so I've update NSLCD_VERSION. I would be interested if anyone can come up with a nice way of dealing with this in a more compatible way. Another thing that would be nice is to have some mechanism in place to make the requests a little more flexible to avoid these kind of upgrade paths in the future. > nssov is using nss-pam-ldapd 0.8.3. We'd like to upgrade to the > version with the pam config features merged in. After that, we can > sync up the effort and upgrade nssov the same time as nss-pam-ldapd. Are there any known issues with 0.8.10 (apart from the missing config requests)? -- -- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
Attachment:
nslcd.h
Description: Text Data
Attachment:
nslcd.h.diff
Description: Text Data
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Re: memberUid mappings in AD, (continued)
- Re: memberUid mappings in AD, Arthur de Jong
- Support for pam_ldap configuration, Ted Cheng
- Re: Support for pam_ldap configuration, Arthur de Jong
- Re: Support for pam_ldap configuration, Ted Cheng
- Re: Support for pam_ldap configuration, Arthur de Jong
- Re: Support for pam_ldap configuration, Ted Cheng
- Re: Support for pam_ldap configuration, Arthur de Jong
- Re: Support for pam_ldap configuration, Ted Cheng
- Re: Support for pam_ldap configuration, Arthur de Jong
- Prev by Date: Re: pynslcd problems
- Next by Date: Re: Support for pam_ldap configuration
- Previous by thread: Re: Support for pam_ldap configuration
- Next by thread: Re: Support for pam_ldap configuration