security/pam_ldap - update to version 1.8.0

Konstantin Saurbier saurbier at math.uni-bielefeld.de
Mon Aug 29 13:22:21 GMT 2005


Adam Pordzik wrote on Sun Aug 28, 2005 um 06:29:52PM:
> Konstantin Saurbier wrote:
> 
> >>Since pam_unix.so grants access to everybody in account stage, pam_ldap
> >>should be made "required" here, if you want PAM more than just _saying_
> >>"Access denied for this host". Hence a line
> 
> Perhaps pam_unix should be revised?

Maybe, but i'm not able to do that.


> >Good point. I fixed the patch, it's attached and can also be found at 
> >http://www.math.uni-bielefeld.de/~saurbier/patches/pam_ldap.patch
> 
> Annot.: I olny tested it agains account with host-attribute set.
> Does anyone tested it whether it works with some of the shadow
> attribues like shadowExpire e.g.?

Not me, I have no shadow in use.


> with
> 
> password        sufficient      pam_ldap.so             use_first_pass
> 
> and a similar patch agains /usr/src/usr.bin/passwd/passwd.c one can also
> allow users changing thier password with passwd(1)
> 
> %diff -u passwd.c.orig passwd.c
> --- /usr/src/usr.bin/passwd/passwd.c.orig  Mon May 24 19:41:40 2004
> +++ /usr/src/usr.bin/passwd/passwd.c       Tue Aug 31 18:03:00 2004
> @@ -121,8 +121,7 @@
>                break;
>        default:
>                /* XXX: Green men ought to be supported via PAM. */
> -               errx(1,
> -         "Sorry, `passwd' can only change passwords for local or NIS 
> users.");
> +               fprintf(stderr, "Now you can change LDAP passwords via 
> PAM\n");
>        }
> 
> Of course to allow also root/administrators changing users passwords it
> needs an apropriate "rootbinddn ..." in ldap.conf.
> 
> But I have to check that again, because chsh for LDAP accounts here creates
> a local account instead of modifying the directory.

Good idea, maybe you should send a PR. At least for passwd it would be 
very helpful.

In the meantime I send a PR for pam_ldap:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/85435

Regards,

Konstantin

------------------------------------------------------
Konstantin Saurbier
Computerlabor Mathematik                        U5-138
Universitaet Bielefeld            Universitaetsstr. 25
33501 Bielefeld
email:                  saurbier at math.uni-bielefeld.de
------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20050829/1a50c01d/attachment.bin


More information about the freebsd-ports mailing list