lists.arthurdejong.org
RSS feed

Re: Upgrade from 0.7 to 0.8 having auth problems

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Upgrade from 0.7 to 0.8 having auth problems



On 11/22/2012 4:19 PM, Arthur de Jong wrote:
On Wed, 2012-11-21 at 16:28 -0600, Andy Colson wrote:
I used this to build all the different packages to install:

http://slackbuilds.org/repository/14.0/system/nss-pam-ldapd/

I got it working without too many issues. This is what I did:

<SNIP>
   add ldap to the end of every service in /etc/nsswitch.conf (but only
   passwd and group should be required)
   add the following line to /etc/nsswitch.conf:
     shadow:         files ldap

<SNIP>

after starting nslcd we do some tests:
# getent passwd ecolden
ecolden:x:5972:1000:Estelle Colden:/home/ecolden:/bin/bash
# getent shadow ecolden
ecolden:kvho1EyqGnBdE:12302:::7:2::0

It is important to note that the passwd entry has an x in the password
field and the shadow entry has a hash that is not prefixed with {SMD5}
or similar. The passwd x indicates that the password is in the shadow
database and the hash needs to be in one of the supported formats (at
least that is the case for pam_unix). For this test I changed the
hashing in the LDAP server for this test user to an old crypt hash.


So all in all I got everything working quite easily but I couldn't
reproduce the issue :(




Ah! I do not have a shadow entry in my /etc/nsswitch.conf file. Without it I get:

root@mapper:~# getent passwd andyc
andyc:*:1000:100:Andy Colson:/home/andy:/bin/bash

root@mapper:~# getent shadow andyc
andyc:KrRHogoozVZWA:::::::0


Note the *. After I add the shadow line, I get the x:

root@mapper:~# getent passwd andyc
andyc:x:1000:100:Andy Colson:/home/andy:/bin/bash

root@mapper:~# getent shadow andyc
andyc:KrRHogoozVZWA:::::::0


And I can login to it as well.  I'd say that shadow line is required.

Thank you very much for going through that much work. Is there any way I can repay the favor?

-Andy
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/