lists.arthurdejong.org
RSS feed

Re: R: pwdReset problem in CentOS 7

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: R: pwdReset problem in CentOS 7



On Mon, 2019-01-07 at 12:15 +0100, nsspamldapd12@iotti.biz wrote:

> I can avoid doing the myldap_search by setting pam_authc_search NONE.
> But I read this could lead to security issues, mainly with empty
> password, because some LDAP implementations require a search after
> bind to be sure the bind was successful and not considered anonymous.

I don't think the empty password problem was shown when using OpenLDAP.
but at least it was reported with eDirectory:
https://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00084.html

The problem should also only occur when the `nullok` option is passed
to pam_ldap in your PAM stack.

> Another question is that after logging in with pam_authc_search NONE,
> I am immediately notified that the password must be changed, but the
> session is closed. I would like to ask if there is some support for
> the user changing their own password at this stage.

From your logs:

> nslcd: [e45d32] <authc="lux"> DEBUG: 
> ldap_sasl_bind("uid=lux,ou=Tecnici,ou=People,dc=test,dc=it","***") 
> (uri="ldap://127.0.0.1/";) (ppolicy=yes)
> nslcd: [e45d32] <authc="lux"> DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE 
> (Password must be changed)
> nslcd: [e45d32] <authc="lux"> DEBUG: 
> myldap_search(base="uid=lux,ou=Tecnici,ou=People,dc=test,dc=it", 
> filter="(objectClass=*)")
> nslcd: [e45d32] <authc="lux"> ldap_result() failed: Insufficient access: 
> Operations are restricted to bind/unbind/abandon/StartTLS/modify password

The problem here may be that the policy does not provide any grace
logins left but I'm not 100% sure. It could be that the PAM stack does
not provide the correct answers. To get more information add the debug
option to the pam_ldap.so lines in your PAM stack (at least for auth
and account parts).

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/