[nssldap] Re: how disable shadow map
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[nssldap] Re: how disable shadow map
- From: "Brian J. Murrell" <brian [at] interlinx.bc.ca>
- To: nssldap [at] padl.com
- Subject: [nssldap] Re: how disable shadow map
- Date: Fri, 23 Oct 2009 22:38:38 -0400
On Fri, 2009-10-23 at 15:26 +0100, Buchan Milne wrote:
>
> Do you need any shadow functionality?
Don't think so, nope, given that my authentication is handled by
kerberos.
> If not, just remove ldap from the shadow
> line in /etc/nsswitch.conf .
Ahhh. If only it were that simple. Of course I tried this and it's
that particular action that makes pam_unix's account action fail access.
The reason is that regardless of whether ldap is listed
in /etc/nsswitch.conf's shadow configuration or not, the passwd map
provided by nss_ldap still contains an "x" in the password field.
That "x" is what directs pam_unix to try to do shadow checks for the
account, and when the account is not found in the shadow map, pam_unix
fails the account action.
What needs to happen is that nss_ldap needs to stop presenting the
passwd entries with "x" in the password field if the shadow map is
undesired.
> Don't give nss_ldap access to the userPassword attribute.
And do you think that will prevent nss_ldap from presenting the password
field in the password map with a "x"? I'm willing to try it. What
configuration changes do you suggest? It's been a while since I
originally set this up and would have to go refresh my aged memory on
what to do exactly.
> There is no reason
> to expose password hashes ...
In fact there are not even hashes in the userPassword attribute as LDAP
is not used at all for authentication.
> If you need other shadow functionality (e.g. password expiry), use ppolicy
> instead. If you need account expiry, I don't know if there are other options.
I don't enforce password and account expiry but I would imagine kerberos
handles this for me.
b.
- [nssldap] how disable shadow map, (continued)