RSS feed

Re: Upgrade from 0.7 to 0.8 having auth problems

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Upgrade from 0.7 to 0.8 having auth problems

On Tue, 2012-11-20 at 12:36 -0600, Andy Colson wrote:
> according to this:
> > Failing that you can put this in nslcd.conf to avoid exposing password
> > hashes through nslcd:
> >
> > map passwd userPassword "x"
> > map shadow userPassword "*"
> >
> > (I'm thinking about making this the default in later releases of
> > nss-pam-ldapd)
> Indeed that looks to be the case.  When I run "getent passwd" or "getent 
> shadow" all I get back are *'s.  This is different from 0.7.
> The "by users read" is required, otherwise nothing works.  neither 0.7 
> or 0.8.  I'm guessing its because Slackware doesn't use PAM?  The login 
> program is pulling the password back and comparing it?  (as opposed to 
> sending the password to openldap on the server for compare).

If Slackware doesn't use PAM you have to expose the password hashes
through the NSS layer. With nss-pam-ldapd 0.8.0 the default mapping of
the userPassword attribute changed to the "*" value to avoid
accidentally leaking the hash.

To re-enable the old behaviour you should put the following in

map shadow userPassword userPassword

Hope this helps (I though OpenBSD was the only OS without PAM).

-- arthur - - --
To unsubscribe send an email to or see