security/pam_ldap - update to version 1.8.0
Konstantin Saurbier
saurbier at math.uni-bielefeld.de
Mon Aug 29 13:22:21 GMT 2005
Adam Pordzik wrote on Sun Aug 28, 2005 um 06:29:52PM:
> Konstantin Saurbier wrote:
>
> >>Since pam_unix.so grants access to everybody in account stage, pam_ldap
> >>should be made "required" here, if you want PAM more than just _saying_
> >>"Access denied for this host". Hence a line
>
> Perhaps pam_unix should be revised?
Maybe, but i'm not able to do that.
> >Good point. I fixed the patch, it's attached and can also be found at
> >http://www.math.uni-bielefeld.de/~saurbier/patches/pam_ldap.patch
>
> Annot.: I olny tested it agains account with host-attribute set.
> Does anyone tested it whether it works with some of the shadow
> attribues like shadowExpire e.g.?
Not me, I have no shadow in use.
> with
>
> password sufficient pam_ldap.so use_first_pass
>
> and a similar patch agains /usr/src/usr.bin/passwd/passwd.c one can also
> allow users changing thier password with passwd(1)
>
> %diff -u passwd.c.orig passwd.c
> --- /usr/src/usr.bin/passwd/passwd.c.orig Mon May 24 19:41:40 2004
> +++ /usr/src/usr.bin/passwd/passwd.c Tue Aug 31 18:03:00 2004
> @@ -121,8 +121,7 @@
> break;
> default:
> /* XXX: Green men ought to be supported via PAM. */
> - errx(1,
> - "Sorry, `passwd' can only change passwords for local or NIS
> users.");
> + fprintf(stderr, "Now you can change LDAP passwords via
> PAM\n");
> }
>
> Of course to allow also root/administrators changing users passwords it
> needs an apropriate "rootbinddn ..." in ldap.conf.
>
> But I have to check that again, because chsh for LDAP accounts here creates
> a local account instead of modifying the directory.
Good idea, maybe you should send a PR. At least for passwd it would be
very helpful.
In the meantime I send a PR for pam_ldap:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/85435
Regards,
Konstantin
------------------------------------------------------
Konstantin Saurbier
Computerlabor Mathematik U5-138
Universitaet Bielefeld Universitaetsstr. 25
33501 Bielefeld
email: saurbier at math.uni-bielefeld.de
------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20050829/1a50c01d/attachment.bin
More information about the freebsd-ports
mailing list