Re: Upgrade from 0.7 to 0.8 having auth problems

[Andy Colson <andy [at] squeakycode.net>]

On 11/20/2012 1:05 PM, Arthur de Jong wrote:
> On Tue, 2012-11-20 at 12:36 -0600, Andy Colson wrote:
> > according to this:
> >
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604147
> >
> >
> > > Failing that you can put this in nslcd.conf to avoid exposing password
> > > hashes through nslcd:
> > >
> > > map passwd userPassword "x"
> > > map shadow userPassword "*"
> > >
> > > (I'm thinking about making this the default in later releases of
> > > nss-pam-ldapd)
> >
> > Indeed that looks to be the case.  When I run "getent passwd" or "getent
> > shadow" all I get back are *'s.  This is different from 0.7.
> [...]
> > The "by users read" is required, otherwise nothing works.  neither 0.7
> > or 0.8.  I'm guessing its because Slackware doesn't use PAM?  The login
> > program is pulling the password back and comparing it?  (as opposed to
> > sending the password to openldap on the server for compare).
>
> If Slackware doesn't use PAM you have to expose the password hashes
> through the NSS layer. With nss-pam-ldapd 0.8.0 the default mapping of
> the userPassword attribute changed to the "*" value to avoid
> accidentally leaking the hash.
>
> To re-enable the old behaviour you should put the following in
> nslcd.conf:
>
> map shadow userPassword userPassword
>
> Hope this helps (I though OpenBSD was the only OS without PAM).

Ok, progress.  "getent shadow" now shows the password, just like it did 
in 0.7.  However, I still cant login.  I get "su: Authentication failure".

> Hope this helps (I though OpenBSD was the only OS without PAM).

Slackware is probably more like BSD than Linux now days.  It uses 
startup scripts just like BSD (vs sysv, upstart, systemd, etc).


Thanks for your help,

-Andy
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/