lists.arthurdejong.org
RSS feed

Question on potential workaround for supporting password change on non-compliant RFC 3062 LDAP server.

[Date Prev][Date Next] [Thread Prev][Thread Next]

Question on potential workaround for supporting password change on non-compliant RFC 3062 LDAP server.



Arthur,

   Is there a way to configure use nss-pam-ldapd to not follow the RFC 3062?  I see between CentOS versions 6 and 7 they switched to the newer version and it requires the LDAP server to support the extend operation.

# CentOS 6:

# nslcd -V
nss-pam-ldapd 0.7.5
Written by Luke Howard and Arthur de Jong.

Copyright (C) 1997-2009 Luke Howard, Arthur de Jong and West Consulting
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

This version does not follow the RFC.

# CentOS 7:

# nslcd -V
nss-pam-ldapd 0.8.13
Written by Luke Howard and Arthur de Jong.

Copyright (C) 1997-2013 Luke Howard, Arthur de Jong and West Consulting
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

This version does follow the RFC.

Changelog for project:

2010-02-17  arthur

        * [r1064] nslcd/myldap.c: first try password modification without
          the old password and if that fails with the old password
        * [r1063] compat/ldap_passwd_s.c: add pointer to RFC 3062

Documentation states:

For the PAM module some functionality is missing. Comparing it to pam_ldap:
- only BIND authentication is supported
- only LDAP password modify EXOP is supported as password changing mechanism


I was wondering if there is a workaround for this issue or if you basically have to move to RFC 3062 compliant LDAP server to get the password update functionality to work.

I thought of another possibility, but I'm not sure on the wisdom of it.  I was thinking I could get a 0.7 release compile it for CentOS 7 and make it so I could use it in my /etc/pam.d/password-auth file in the password section only like so:

Normally something like:

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok

Change to:

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap_sun.so use_authtok

Placing newly compiled file:  /usr/lib64/security/pam_ldap_sun.so

I know this will not work the best, things like authconfig can undo the pam config rather easily if some other admin is unaware of the issue this rather fragile workaround would try to address.  I just thought I'd ping you on this and get your opinion.  Any response will be appreciated.  Thank you.
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/