Re: [nssldap] how disable shadow map

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Guillaume Rousse <Guillaume.Rousse [at] inria.fr>
Cc: nssldap [at] padl.com
Subject: Re: [nssldap] how disable shadow map
Date: Sat, 24 Oct 2009 00:05:51 +0200

Buchan Milne a écrit :

On Wednesday, 21 October 2009 17:12:09 Brian J. Murrell wrote:

Hi,

I want to disable the shadow map,

Do you need any shadow functionality? If not, just remove ldap from the shadowline in /etc/nsswitch.conf .

and specifically, stop the passwd map
from returning "x" in the password field.

Don't give nss_ldap access to the userPassword attribute. There is no reasonto expose password hashes ...

I use kerberos for
authentication here and thus have no use for shadow, and having the "x"
in the passwd map without a shadow map screws up pam_unix as it thinks
that shadow information should be available and kacks when it cannot
find it.

I noticed from a quick browse of the code:

if (_nss_ldap_oc_check (e, "shadowAccount") == NSS_SUCCESS)
  {
      /* don't include password for shadowAccount */
      if (buflen < 3)
        return NSS_TRYAGAIN;

      pw->pw_passwd = buffer;
      strcpy (buffer, "x");
      buffer += 2;
      buflen -= 2;
    }
  else
    {
      stat =
        _nss_ldap_assign_userpassword (e, ATM (LM_PASSWD, userPassword),
                                       &pw->pw_passwd, &buffer, &buflen);
      if (stat != NSS_SUCCESS)
        return stat;
    }

but given that I have no "nss_map_objectclass shadowAccount ..." lines
in my /etc/ldap.conf file, I must be running into some default behaviour
I need to override.

If you need other shadow functionality (e.g. password expiry), use ppolicyinstead. If you need account expiry, I don't know if there are other options.

Unfortunatly, setting scheduled password expiration date in ppolicy isnot possible, see ITS 6084:

http://www.openldap.org/its/index.cgi/Development?id=6084;selectid=6084

And relying on an operational attribute for it isn't a good idea anyway.

The only solution I know currently to schedule account termination(either by password or account expiration)

expiration is to use shadowAccount, and it only works for pam.

On the other hand, kerberos is supposed to support principal ANDpassword expiration. I guess it may be used from either authenticationor authorisation stage of pam, and also for direct ldap authenticationif ldap server BIND operation is delegated to kerberos (through smbkrb5overlay or SASL).


--
BOFH excuse #399:

We are a 100% Microsoft Shop.

[nssldap] how disable shadow map, Brian J. Murrell
- Re: [nssldap] how disable shadow map, Douglas E. Engert
- <Possible follow-ups>
- [nssldap] how disable shadow map, Brian J. Murrell
  - Re: [nssldap] how disable shadow map, Buchan Milne
    - Re: [nssldap] how disable shadow map, Guillaume Rousse
    - [nssldap] Re: how disable shadow map, Brian J. Murrell
      - Re: [nssldap] Re: how disable shadow map, Paul B. Henson
        
        [nssldap] Re: Re: how disable shadow map, Brian J. Murrell

Prev by Date: Re: [nssldap] how disable shadow map
Next by Date: Re: [nssldap] how disable shadow map
Previous by thread: Re: [nssldap] how disable shadow map
Next by thread: Re: [nssldap] how disable shadow map