Re: [nssldap] how disable shadow map
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] how disable shadow map
- From: "Douglas E. Engert" <deengert [at] anl.gov>
- To: "Brian J. Murrell" <brian [at] interlinx.bc.ca>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] how disable shadow map
- Date: Wed, 21 Oct 2009 11:40:12 -0500
Brian J. Murrell wrote:
Hi,
I want to disable the shadow map, and specifically, stop the passwd map
from returning "x" in the password field. I use kerberos for
authentication here and thus have no use for shadow, and having the "x"
in the passwd map without a shadow map screws up pam_unix as it thinks
that shadow information should be available and kacks when it cannot
find it.
We too use Kerberos for authentication, and use the shadow password entry
to indicate an account is locked or is valid but has not matching Unix password.
"*LK*" is interpreted as a locked account. A user can still authenticate with
Kerberos since the account is loocked can not login. "NP" is interpreted as
"no password" indicating that there is not unix password that can be used with
this account, but if authenticated some other way like Kerberos,
the account can be used.
The userPassword attribute is then set to {crypt}NP or {crypt}*LK*
This then works with Linux or Solaris clients.
look at the man shadow on Linux and Solaris.
I noticed from a quick browse of the code:
if (_nss_ldap_oc_check (e, "shadowAccount") == NSS_SUCCESS)
{
/* don't include password for shadowAccount */
if (buflen < 3)
return NSS_TRYAGAIN;
pw->pw_passwd = buffer;
strcpy (buffer, "x");
buffer += 2;
buflen -= 2;
}
else
{
stat =
_nss_ldap_assign_userpassword (e, ATM (LM_PASSWD, userPassword),
&pw->pw_passwd, &buffer, &buflen);
if (stat != NSS_SUCCESS)
return stat;
}
but given that I have no "nss_map_objectclass shadowAccount ..." lines
in my /etc/ldap.conf file, I must be running into some default behaviour
I need to override.
Or maybe I am just barking completely up the wrong tree.
Thots?
b.
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
