Re: Support for pam_ldap configuration
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: Support for pam_ldap configuration
- From: Ted Cheng <tedcheng [at] symas.com>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Support for pam_ldap configuration
- Date: Wed, 11 Jul 2012 17:08:25 -0700
On Jul 11, 2012, at 2:10 PM, Arthur de Jong wrote:
> On Tue, 2012-07-10 at 18:01 -0700, Ted Cheng wrote:
>> If both rootpwmoddn and rootpwmodpw are configured on the server side,
>> both will be used to authenticate to the remote directory. That is, no
>> "rootpasswd" parameter is needed. Simply the auth result will be
>> returned.
>
> If the password change is run as root the PAM module doesn't know
> whether the server has either options set so first tries to do a ""+""
> authentication, then prompts for the administrator password and does a
> ""+passwd authentication.
>
nssov implemented the following in response to the calls from pam_ldap:
If rootpwmoddn and rootpwmodpw are configured on the server side:
pam_ldap, "" (NULL) + "" (NULL) ==> nssov binds to ldap server with
rootpwmoddn + rootpwmodpw
return rootpwmoddn to pam_ldap if bind success
if only rootpwmoddn is configured, but not rootpwmodpw on the server side:
pam_ldap, "" (NULL) + admin pwd ==> nssov binds to ldap server with
rootpwmoddn + admin pwd
return rootpwmoddn to pam_ldap, if bind success
pam_ldap, user dn + user pwd ==> nssov bind to ldap server with user dn + user
pwd
return userdn to pam_ldap, if bind success
pam_ldap does not need to guess at all.
> The extra NSLCD_CONFIG_PAM_ROOTPWMOD protocol parameter that can be
> derived from the rootpwmoddn and rootpwmodpw nslcd.conf configuration
> options and the caller's uid and be provided to the PAM module so it
> wouldn't need to do this guessing.
>
> This would mean that the first ugly hack (""+"") is no longer necessary.
> The second one would still be needed to see if the supplied password is
> correct. The extra information could also allow the PAM module to prompt
> for the old password of the user that is being changed.
Need more information on how this should be implemented.
>
>> Please find attached pam.c from nssov distribution. The pam_bindcb() routine
>> handles ppolicy control.
>
> Thanks. I'm currently using ldap_simple_bind_s() for user
> authentication.
>
> Also looking at pam_ldap.c it seems I have to switch to the asynchronous
> ldap_sasl_bind() to request password policy and be able to get the
> password policy response controls. Requesting seems possible with
> ldap_sasl_bind_s() but I can't work out how to get the response controls
> with that function.
>
I have attached common.c from openldap client code. Hopefully it helps.
Cheers,
Ted C. Cheng
Symas Corporation
Attachment:
common.c
Description: Binary data
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Re: Support for pam_ldap configuration, (continued)
- Re: Support for pam_ldap configuration, Ted Cheng
- Re: Support for pam_ldap configuration, Arthur de Jong
- Re: Support for pam_ldap configuration, Ted Cheng
- Re: Support for pam_ldap configuration, Arthur de Jong
- Re: Support for pam_ldap configuration, Ted Cheng
- Re: Support for pam_ldap configuration, Ted Cheng
- Re: Support for pam_ldap configuration, Arthur de Jong
- Prev by Date: Re: Support for pam_ldap configuration
- Next by Date: Re: pynslcd problems
- Previous by thread: Re: Support for pam_ldap configuration
- Next by thread: Re: Support for pam_ldap configuration