security/pam_ldap - update to version 1.8.0

Adam Pordzik adampordzik at
Sat Aug 27 22:22:06 GMT 2005

Konstantin Saurbier wrote:
> Hi,
> i wrote a patch for security/pam_ldap to fix this security issue:
> Please test this patch an comment any problems or bugs. For me it worked 
> well, but my access to different releases an architectures is limited to 
> 5.4-RELEASE and 6.0-BETA3 on i386.

This bug issues only enries of "passwordPolicy" Class, so it's
not very wicked.

>  ================================================================================
>  Copy %%PREFIX%%/etc/ldap.conf.dist to %%PREFIX%%/etc/ldap.conf, then edit
> -%%PREFIX%%/etc/ldap.conf in order to use this module.  Add a line similar to
> -the following to /etc/pam.conf on 4.X, or create an /etc/pam.d/ldap
> -on 5.X with a line similar to the following:

Good idea to correct this!

> +account		sufficient 

Since grants access to everybody in account stage, pam_ldap
should be made "required" here, if you want PAM more than just _saying_
"Access denied for this host". Hence a line

account	    required     ignore_unknown_user ignore_authinfo_unavail

works as expected. "ignore_authinfo_unavail" is needed not to lock out
local/other users when the ldap server cannot be connected.



More information about the freebsd-ports mailing list