Question on potential workaround for supporting password change on non-compliant RFC 3062 LDAP server.
[Date Prev][Date Next] [Thread Prev][Thread Next]Question on potential workaround for supporting password change on non-compliant RFC 3062 LDAP server.
- From: John Taisto <jrtaisto [at] gmail.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Question on potential workaround for supporting password change on non-compliant RFC 3062 LDAP server.
- Date: Thu, 14 Jun 2018 15:13:15 -0400
Arthur,
Is there a way to configure use nss-pam-ldapd to not follow the RFC 3062? I see between CentOS versions 6 and 7 they switched to the newer version and it requires the LDAP server to support the extend operation.
# CentOS 6:
# nslcd -V
nss-pam-ldapd 0.7.5
Written by Luke Howard and Arthur de Jong.
Copyright (C) 1997-2009 Luke Howard, Arthur de Jong and West Consulting
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# nslcd -V
nss-pam-ldapd 0.7.5
Written by Luke Howard and Arthur de Jong.
Copyright (C) 1997-2009 Luke Howard, Arthur de Jong and West Consulting
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This version does not follow the RFC.
# CentOS 7:
# nslcd -V
nss-pam-ldapd 0.8.13
Written by Luke Howard and Arthur de Jong.
Copyright (C) 1997-2013 Luke Howard, Arthur de Jong and West Consulting
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# nslcd -V
nss-pam-ldapd 0.8.13
Written by Luke Howard and Arthur de Jong.
Copyright (C) 1997-2013 Luke Howard, Arthur de Jong and West Consulting
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This version does follow the RFC.
Changelog for project:
2010-02-17 arthur
* [r1064] nslcd/myldap.c: first try password modification without
the old password and if that fails with the old password
* [r1063] compat/ldap_passwd_s.c: add pointer to RFC 3062
Documentation states:
For the PAM module some functionality is missing. Comparing it to pam_ldap:
- only BIND authentication is supported
- only LDAP password modify EXOP is supported as password changing mechanism
Changelog for project:
2010-02-17 arthur
* [r1064] nslcd/myldap.c: first try password modification without
the old password and if that fails with the old password
* [r1063] compat/ldap_passwd_s.c: add pointer to RFC 3062
Documentation states:
For the PAM module some functionality is missing. Comparing it to pam_ldap:
- only BIND authentication is supported
- only LDAP password modify EXOP is supported as password changing mechanism
I was wondering if there is a workaround for this issue or if you basically have to move to RFC 3062 compliant LDAP server to get the password update functionality to work.
I thought of another possibility, but I'm not sure on the wisdom of it. I was thinking I could get a 0.7 release compile it for CentOS 7 and make it so I could use it in my /etc/pam.d/password-auth file in the password section only like so:
Normally something like:
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
Change to:
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap_sun.so use_authtok
password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap_sun.so use_authtok
Placing newly compiled file: /usr/lib64/security/pam_ldap_sun.so
I know this will not work the best, things like authconfig can undo the pam config rather easily if some other admin is unaware of the issue this rather fragile workaround would try to address. I just thought I'd ping you on this and get your opinion. Any response will be appreciated. Thank you.
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see https://lists.arthurdejong.org/nss-pam-ldapd-users/
- Question on potential workaround for supporting password change on non-compliant RFC 3062 LDAP server., John Taisto
- Prev by Date: Re: Can I use pam_ldap without nss?
- Next by Date: Re: Can I use pam_ldap without nss?
- Previous by thread: Re: Can I use pam_ldap without nss?
- Next by thread: Re: Question on potential workaround for supporting password change on non-compliant RFC 3062 LDAP server.