Re: shadowexpired user in FreeBSD??

[Chi Min Wang <cmwang [at] green-computing.com>]

Arthur de Jong wrote:
> The return value of nslcd_pam_authc() in nslcd/pam.c is only used for
> whether the request was handled correctly, it is not passed along to
> the PAM module.
>
> One thing that makes the code somehwat complicated is that PAM expects
> a clear separation between authentication (auth) and authorisation
> (account). The problem is that an LDAP BIND operation does both. This
> is why nslcd_pam_authc() returns both authcrc (rc) and authzrc. The PAM
> module basically stores authzrc and uses it in the authorisation phase.
>
> This means that nslcd will report the password expiry on authc but it
> does not mean that the PAM module has passed this information to
> dovecot yet.
>
> Can you post your PAM config /etc/pam.d/dovecot and /etc/pam.d/system
> if it includes that? I've been trying to get it working on a FreeBSD VM
> but I'm not getting far with the PAM config for some reason.

Hello Everyone:
      The attachment is my config and log file. I use LDAP only for 
mail account,so I just modify the /etc/pam.d/pop3(Dovecot2 in FreeBSD10 
use /etc/pam.d/imap and /etc/pam.d/pop3). It seems Dovecot's auth-worker 
process could get correct msg. But the auth didn't get correct PAM 
return code. Could  you tell me how the pam_sm_acct_mgmt() works?? 
Thanks anyway!!

Attachment: ldap-expire.tgz
Description: Binary data

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/