Re: Upgrade from 0.7 to 0.8 having auth problems
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Upgrade from 0.7 to 0.8 having auth problems
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Upgrade from 0.7 to 0.8 having auth problems
- Date: Tue, 20 Nov 2012 20:05:02 +0100
On Tue, 2012-11-20 at 12:36 -0600, Andy Colson wrote:
> according to this:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604147
>
>
> > Failing that you can put this in nslcd.conf to avoid exposing password
> > hashes through nslcd:
> >
> > map passwd userPassword "x"
> > map shadow userPassword "*"
> >
> > (I'm thinking about making this the default in later releases of
> > nss-pam-ldapd)
>
> Indeed that looks to be the case. When I run "getent passwd" or "getent
> shadow" all I get back are *'s. This is different from 0.7.
[...]
> The "by users read" is required, otherwise nothing works. neither 0.7
> or 0.8. I'm guessing its because Slackware doesn't use PAM? The login
> program is pulling the password back and comparing it? (as opposed to
> sending the password to openldap on the server for compare).
If Slackware doesn't use PAM you have to expose the password hashes
through the NSS layer. With nss-pam-ldapd 0.8.0 the default mapping of
the userPassword attribute changed to the "*" value to avoid
accidentally leaking the hash.
To re-enable the old behaviour you should put the following in
nslcd.conf:
map shadow userPassword userPassword
Hope this helps (I though OpenBSD was the only OS without PAM).
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
