RSS feed

Re: Support for pam_ldap configuration

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Support for pam_ldap configuration

On Tue, 2012-07-10 at 18:01 -0700, Ted Cheng wrote:
> If both rootpwmoddn and rootpwmodpw are configured on the server side,
> both will be used to authenticate to the remote directory. That is, no
> "rootpasswd" parameter is needed. Simply the auth result will be
> returned.

If the password change is run as root the PAM module doesn't know
whether the server has either options set so first tries to do a ""+""
authentication, then prompts for the administrator password and does a
""+passwd authentication.

The extra NSLCD_CONFIG_PAM_ROOTPWMOD protocol parameter that can be
derived from the rootpwmoddn and rootpwmodpw nslcd.conf configuration
options and the caller's uid and be provided to the PAM module so it
wouldn't need to do this guessing.

This would mean that the first ugly hack (""+"") is no longer necessary.
The second one would still be needed to see if the supplied password is
correct. The extra information could also allow the PAM module to prompt
for the old password of the user that is being changed.

Anyway, it is a bit of a cosmetic change.

> Please find attached pam.c from nssov distribution. The pam_bindcb() routine
> handles ppolicy control.

Thanks. I'm currently using ldap_simple_bind_s() for user

Also looking at pam_ldap.c it seems I have to switch to the asynchronous
ldap_sasl_bind() to request password policy and be able to get the
password policy response controls. Requesting seems possible with
ldap_sasl_bind_s() but I can't work out how to get the response controls
with that function.


-- arthur - - --
To unsubscribe send an email to or see