RSS feed

Re: rootpwmoddn seems not be working properly

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: rootpwmoddn seems not be working properly

On Sun, 2014-11-02 at 22:17 -0200, Erico Fusco wrote:
> Isn't possible to get the parameters in the first place and make the
> bind with rootpwmoddn and rootpwmodpw ? If I have rootpwdmoddn and
> rootpwmodpw set it doesn't seem right to ask for LDAP password again.

The reason it asks is because the bind/search with the
rootpwdmoddn/rootpwdmodpw fails. The PAM module then falls back to
prompting for rootpwdmodpw which also fails (the PAM module never reads

> I believe search the base with base scope is the safest search to use.

The problem is that this could also not exist and it would need to be
special-cased for rootpwdmoddn only because it is reasonable to only
allow normal users to read their own entry (the code path for normal
authentication and rootpwdmoddn authentication is mostly the same).

Having a configuration option to skip the post-bind search or perhaps
perform another configured search would be preferable. Perhaps something
that works similarly to pam_authz_search (but then pam_authc_search).

If someone is willing to write a patch for that I can integrate it (a
bit short on time for nss-pam-ldapd at the moment).


-- arthur - - --
To unsubscribe send an email to or see