Re: Support for pam_ldap configuration
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Support for pam_ldap configuration
- From: Ted Cheng <tedcheng [at] symas.com>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>, Howard Chu <hyc [at] symas.com>
- Subject: Re: Support for pam_ldap configuration
- Date: Mon, 9 Jul 2012 18:22:11 -0700
>
> Attached is a nslcd.h (and diff with current SVN) that should give an
> idea of the changes I have in mind. Any input here is very much
> appreciated.
> /* returns either "nopasswd", "userpasswd" or "rootpasswd" to specify
> the kind of (old) password required for changing the password */
> #define NSLCD_CONFIG_PAM_ROOTPWMOD 654
Not sure why we would need "nopasswd", "userpasswd", and "rootpasswd" config.
The kind of (old) password required for changing password depends on client-side
(who initiates the password change) and on server-side (admin/pwdmgr dn &
admin/pwdmgr pwd) configurations, not just server-side configuration:
admin (root) change of end-user password, pam_ldap testing uid==0:
if admin/pwdmgr DN and admin/pwdmgr pwd are configured on the server side,
no old password is prompted, e.g.,
# passwd testuser
New password:
Retype new password:
passwd: password updated successfully
If admin/pwdmgr DN is configured on the server side, but not admin/pwdmgr
pwd,
the LDAP administrator password should be queried, e.g.,
# passwd testuser
LDAP administrator password:
New password:
Retype new password:
passwd: password updated successfully
If end-users change their own passwords, old passwords should always be
queried, e.g.,
$ passwd
(current) LDAP Password:
New password:
Retype new password:
passwd: password updated successfully
If an end-user changes another user's password, the target user's
password should be queried. So far, this option does not seem to be supported,
e.g.,
testuser1$ passwd testuser2
passwd: You may not view or modify password information for testuser2
>
> One thing that isn't addressed is the signedness of the numeric values.
> This could also be defined. Another is that for FreeBSD it would be very
> useful to combine PASSWD and SHADOW. Perhaps this is appropriate for a
> new map or some other solution.
>
The ppolicy configuration should probably be supported/tested as well.
> I can't see a way to handle this without incompatible changes so I've
> update NSLCD_VERSION. I would be interested if anyone can come up with a
> nice way of dealing with this in a more compatible way.
>
> Another thing that would be nice is to have some mechanism in place to
> make the requests a little more flexible to avoid these kind of upgrade
> paths in the future.
>
>> nssov is using nss-pam-ldapd 0.8.3. We'd like to upgrade to the
>> version with the pam config features merged in. After that, we can
>> sync up the effort and upgrade nssov the same time as nss-pam-ldapd.
>
> Are there any known issues with 0.8.10 (apart from the missing config
> requests)?
0.8.3 seems to be working fine. I would expect 0.8.10 works as well.
>
> --
> -- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
> <nslcd.h><nslcd.h.diff>
Ted C. Cheng
Symas Corporation
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Support for pam_ldap configuration, (continued)
