[nssldap] Questions about start_tls
[Date Prev][Date Next] [Thread Prev][Thread Next][nssldap] Questions about start_tls
- From: maillists0 [at] gmail.com
- To: nssldap [at] padl.com
- Subject: [nssldap] Questions about start_tls
- Date: Tue, 9 Dec 2008 16:32:27 -0500
I'm trying to setup nss_ldap on CentOS 5.2 to authenticate against openldap 2.3.27, using ppolicy and a password quality checker. I have two questions.
First, I am using start_tls and everything seems to be working. However, I can see in debug mode that the password is being sent clear text when I change the password, in spite of the fact that I have "pam_password crypt" in ldap.conf --
0010: 6a 65 66 66 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 jeff,ou=People,d
0020: 63 3d 73 68 75 74 74 65 72 73 74 6f 63 6b 2c 64 c=mydomain,d
0030: 63 3d 63 6f 6d 80 08 71 77 65 61 73 64 31 40 a0 c=com..mypassword@.
0040: 1d 30 1b 04 19 31 2e 33 2e 36 2e 31 2e 34 2e 31 .0...1.3.6.1.4.1
0050: 2e 34 32 2e 32 2e 32 37 2e 38 2e 35 2e 31 .42.2.27.8.5.1
Is there something else I need to do to encrypt everything, have I misconfigured something, or am misunderstanding start_tls? There are no complaints in the debug output about tls.
Second, and probably related, the password quality checking isn't working. Although I can successfully change the password and I do get prompted to change the password when time runs out on it, it does not check it against its history -- I can enter the same password every other time without complaint.
It might be another clue that, when I do change the password, the first prompt says "Enter login(LDAP) password:", and the next prompt says "New password". I was under the impression that the second prompt should also contain "LDAP". Is that correct?
Any help or guidance will be greatly appreciated. I'm about at wit's end with this one.
Here's my ldap.conf ...
base dc=mydomain,dc=com
ssl start_tls
tls_checkpeer no
use_sasl off
timelimit 120
bind_timelimit 120
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_lookup_policy yes
pam_password crypt
uri ldap://10.0.1.20/ ldap://10.0.1.21/
debug 2
Here's /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password sufficient pam_ldap.so
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/
- [nssldap] Questions about start_tls, maillists0
- Re: [nssldap] Questions about start_tls,
Buchan Milne
- Re: [nssldap] Questions about start_tls,
Andrew Findlay
- Re: [nssldap] Questions about start_tls,
maillists0
- RE: [nssldap] Questions about start_tls, Chapman, Kyle
- Re: [nssldap] Questions about start_tls,
maillists0
- Re: [nssldap] Questions about start_tls,
Andrew Findlay
- Prev by Date: [nssldap] Mega patch against nss_ldap 264
- Next by Date: Re: [nssldap] Mega patch against nss_ldap 264
- Previous by thread: Re: [nssldap] Mega patch against nss_ldap 264
- Next by thread: Re: [nssldap] Questions about start_tls