security/pam_ldap - update to version 1.8.0
Adam Pordzik
adampordzik at gmx.de
Sun Aug 28 16:29:57 GMT 2005
Konstantin Saurbier wrote:
>>
>> This bug issues only enries of "passwordPolicy" Class, so it's
>> not very wicked.
>
> I know, but theres no reason not to fix the port :-)
Yes, but this fix neither really fix it. ;-) It might "prevents" users
from login already if in PasswordPolicyRespose returns a warning that
it's password only is about to expire.
>> Since pam_unix.so grants access to everybody in account stage, pam_ldap
>> should be made "required" here, if you want PAM more than just _saying_
>> "Access denied for this host". Hence a line
Perhaps pam_unix should be revised?
> Good point. I fixed the patch, it's attached and can also be found at
> http://www.math.uni-bielefeld.de/~saurbier/patches/pam_ldap.patch
Annot.: I olny tested it agains account with host-attribute set.
Does anyone tested it whether it works with some of the shadow
attribues like shadowExpire e.g.?
> +auth sufficient pam_ldap.so no_warn try_first_pass
> +account required pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
> +session optional pam_ldap.so
> ================================================================================
with
password sufficient pam_ldap.so use_first_pass
and a similar patch agains /usr/src/usr.bin/passwd/passwd.c one can also
allow users changing thier password with passwd(1)
%diff -u passwd.c.orig passwd.c
--- /usr/src/usr.bin/passwd/passwd.c.orig Mon May 24 19:41:40 2004
+++ /usr/src/usr.bin/passwd/passwd.c Tue Aug 31 18:03:00 2004
@@ -121,8 +121,7 @@
break;
default:
/* XXX: Green men ought to be supported via PAM. */
- errx(1,
- "Sorry, `passwd' can only change passwords for local or NIS users.");
+ fprintf(stderr, "Now you can change LDAP passwords via PAM\n");
}
Of course to allow also root/administrators changing users passwords it
needs an apropriate "rootbinddn ..." in ldap.conf.
But I have to check that again, because chsh for LDAP accounts here creates
a local account instead of modifying the directory.
A
--
More information about the freebsd-ports
mailing list