RSS feed

Re: R: pwdReset problem in CentOS 7

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: R: pwdReset problem in CentOS 7

On Mon, 2019-01-07 at 12:15 +0100, wrote:

> I can avoid doing the myldap_search by setting pam_authc_search NONE.
> But I read this could lead to security issues, mainly with empty
> password, because some LDAP implementations require a search after
> bind to be sure the bind was successful and not considered anonymous.

I don't think the empty password problem was shown when using OpenLDAP.
but at least it was reported with eDirectory:

The problem should also only occur when the `nullok` option is passed
to pam_ldap in your PAM stack.

> Another question is that after logging in with pam_authc_search NONE,
> I am immediately notified that the password must be changed, but the
> session is closed. I would like to ask if there is some support for
> the user changing their own password at this stage.

From your logs:

> nslcd: [e45d32] <authc="lux"> DEBUG: 
> ldap_sasl_bind("uid=lux,ou=Tecnici,ou=People,dc=test,dc=it","***") 
> (uri="ldap://";) (ppolicy=yes)
> nslcd: [e45d32] <authc="lux"> DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE 
> (Password must be changed)
> nslcd: [e45d32] <authc="lux"> DEBUG: 
> myldap_search(base="uid=lux,ou=Tecnici,ou=People,dc=test,dc=it", 
> filter="(objectClass=*)")
> nslcd: [e45d32] <authc="lux"> ldap_result() failed: Insufficient access: 
> Operations are restricted to bind/unbind/abandon/StartTLS/modify password

The problem here may be that the policy does not provide any grace
logins left but I'm not 100% sure. It could be that the PAM stack does
not provide the correct answers. To get more information add the debug
option to the lines in your PAM stack (at least for auth
and account parts).

Hope this helps,

-- arthur - - --

To unsubscribe send an email to or see