security/pam_ldap - update to version 1.8.0

Adam Pordzik adampordzik at gmx.de
Sun Aug 28 16:29:57 GMT 2005 


Konstantin Saurbier wrote:
>> 
>> This bug issues only enries of "passwordPolicy" Class, so it's
>> not very wicked.
> 
> I know, but theres no reason not to fix the port :-)

Yes, but this fix neither really fix it. ;-) It might "prevents" users
from login already if in PasswordPolicyRespose returns a warning that
it's password only is about to expire.

>> Since pam_unix.so grants access to everybody in account stage, pam_ldap
>> should be made "required" here, if you want PAM more than just _saying_
>> "Access denied for this host". Hence a line

Perhaps pam_unix should be revised?

> Good point. I fixed the patch, it's attached and can also be found at 
> http://www.math.uni-bielefeld.de/~saurbier/patches/pam_ldap.patch

Annot.: I olny tested it agains account with host-attribute set.
Does anyone tested it whether it works with some of the shadow
attribues like shadowExpire e.g.?

> +auth		sufficient	pam_ldap.so no_warn try_first_pass
> +account	required	pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
> +session	optional	pam_ldap.so
>  ================================================================================

with

password        sufficient      pam_ldap.so             use_first_pass

and a similar patch agains /usr/src/usr.bin/passwd/passwd.c one can also
allow users changing thier password with passwd(1)

%diff -u passwd.c.orig passwd.c
--- /usr/src/usr.bin/passwd/passwd.c.orig  Mon May 24 19:41:40 2004
+++ /usr/src/usr.bin/passwd/passwd.c       Tue Aug 31 18:03:00 2004
@@ -121,8 +121,7 @@
                break;
        default:
                /* XXX: Green men ought to be supported via PAM. */
-               errx(1,
-         "Sorry, `passwd' can only change passwords for local or NIS users.");
+               fprintf(stderr, "Now you can change LDAP passwords via PAM\n");
        }

Of course to allow also root/administrators changing users passwords it
needs an apropriate "rootbinddn ..." in ldap.conf.

But I have to check that again, because chsh for LDAP accounts here creates
a local account instead of modifying the directory.

A

--

More information about the freebsd-ports mailing list