Re: R: pwdReset problem in CentOS 7
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: R: pwdReset problem in CentOS 7
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: R: pwdReset problem in CentOS 7
- Date: Wed, 09 Jan 2019 22:11:35 +0100
On Mon, 2019-01-07 at 12:15 +0100, nsspamldapd12@iotti.biz wrote:
> I can avoid doing the myldap_search by setting pam_authc_search NONE.
> But I read this could lead to security issues, mainly with empty
> password, because some LDAP implementations require a search after
> bind to be sure the bind was successful and not considered anonymous.
I don't think the empty password problem was shown when using OpenLDAP.
but at least it was reported with eDirectory:
https://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00084.html
The problem should also only occur when the `nullok` option is passed
to pam_ldap in your PAM stack.
> Another question is that after logging in with pam_authc_search NONE,
> I am immediately notified that the password must be changed, but the
> session is closed. I would like to ask if there is some support for
> the user changing their own password at this stage.
From your logs:
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_sasl_bind("uid=lux,ou=Tecnici,ou=People,dc=test,dc=it","***")
> (uri="ldap://127.0.0.1/";) (ppolicy=yes)
> nslcd: [e45d32] <authc="lux"> DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE
> (Password must be changed)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> myldap_search(base="uid=lux,ou=Tecnici,ou=People,dc=test,dc=it",
> filter="(objectClass=*)")
> nslcd: [e45d32] <authc="lux"> ldap_result() failed: Insufficient access:
> Operations are restricted to bind/unbind/abandon/StartTLS/modify password
The problem here may be that the policy does not provide any grace
logins left but I'm not 100% sure. It could be that the PAM stack does
not provide the correct answers. To get more information add the debug
option to the pam_ldap.so lines in your PAM stack (at least for auth
and account parts).
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
