RSS feed

Re: shadowexpired user in FreeBSD??

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: shadowexpired user in FreeBSD??

Arthur de Jong wrote:
The return value of nslcd_pam_authc() in nslcd/pam.c is only used for
whether the request was handled correctly, it is not passed along to
the PAM module.

One thing that makes the code somehwat complicated is that PAM expects
a clear separation between authentication (auth) and authorisation
(account). The problem is that an LDAP BIND operation does both. This
is why nslcd_pam_authc() returns both authcrc (rc) and authzrc. The PAM
module basically stores authzrc and uses it in the authorisation phase.

This means that nslcd will report the password expiry on authc but it
does not mean that the PAM module has passed this information to
dovecot yet.

Can you post your PAM config /etc/pam.d/dovecot and /etc/pam.d/system
if it includes that? I've been trying to get it working on a FreeBSD VM
but I'm not getting far with the PAM config for some reason.

Hello Everyone:
The attachment is my config and log file. I use LDAP only for mail account,so I just modify the /etc/pam.d/pop3(Dovecot2 in FreeBSD10 use /etc/pam.d/imap and /etc/pam.d/pop3). It seems Dovecot's auth-worker process could get correct msg. But the auth didn't get correct PAM return code. Could you tell me how the pam_sm_acct_mgmt() works?? Thanks anyway!!

Attachment: ldap-expire.tgz
Description: Binary data

To unsubscribe send an email to or see