lists.arthurdejong.org
RSS feed

Re: Upgrade from 0.7 to 0.8 having auth problems

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Upgrade from 0.7 to 0.8 having auth problems



On 11/20/2012 1:05 PM, Arthur de Jong wrote:
On Tue, 2012-11-20 at 12:36 -0600, Andy Colson wrote:
according to this:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604147


Failing that you can put this in nslcd.conf to avoid exposing password
hashes through nslcd:

map passwd userPassword "x"
map shadow userPassword "*"

(I'm thinking about making this the default in later releases of
nss-pam-ldapd)

Indeed that looks to be the case.  When I run "getent passwd" or "getent
shadow" all I get back are *'s.  This is different from 0.7.
[...]
The "by users read" is required, otherwise nothing works.  neither 0.7
or 0.8.  I'm guessing its because Slackware doesn't use PAM?  The login
program is pulling the password back and comparing it?  (as opposed to
sending the password to openldap on the server for compare).

If Slackware doesn't use PAM you have to expose the password hashes
through the NSS layer. With nss-pam-ldapd 0.8.0 the default mapping of
the userPassword attribute changed to the "*" value to avoid
accidentally leaking the hash.

To re-enable the old behaviour you should put the following in
nslcd.conf:

map shadow userPassword userPassword

Hope this helps (I though OpenBSD was the only OS without PAM).




Ok, progress. "getent shadow" now shows the password, just like it did in 0.7. However, I still cant login. I get "su: Authentication failure".

> Hope this helps (I though OpenBSD was the only OS without PAM).

Slackware is probably more like BSD than Linux now days. It uses startup scripts just like BSD (vs sysv, upstart, systemd, etc).


Thanks for your help,

-Andy
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/