[sudo-workers] ldap and password
Brian L Farrell
blfarrell at ra.rockwell.com
Mon Aug 23 09:01:39 EDT 2004
Markus,
Since this is in the PAM code, did you check other account validations
that may be required such as base UNIX or other validations that may be
required in your environment?
The basic point is that it may not be LDAP that is causing the problem as
with PAM you can stack authentication and validation procedures. The
pam_authenticate procedure is for the authentication such as password
validation. The pam_acct_mgmt verifies validity of the account. It is
this validity checking where you seem to be having problems. In the pam
configuration files the validity (pam_acct_mgmt calls) check the "account"
lines in your pam configuration (/etc/pam.conf or /etc/pam.d/{sudo, or
system-auth}) for what rules to follow.
You indicated earlier that you were ok logging into ldap for mail. Do you
do host authentication and session validation with ldap as well? If so
can you log into the system using ssh or other tools? Most likely sudo
will follow similar authentication and sessions validation that a normal
login does unless you configure PAM otherwise.
Brian Farrell
Markus Rennings <news at rennings.net>
Sent by: sudo-workers-bounces at courtesan.com
08/20/2004 04:24 PM
To: sudo-workers at sudo.ws
cc:
Subject: Re: [sudo-workers] ldap and password
Am Freitag, 20. August 2004 17:16 schrieb Todd C. Miller:
> > Ah, ok, but do you know any workaround? I have no expiration date in
my
> > ldap, so I don't know why pam returns _EXPIRED. As I said in my last
mail
> > login works as expected - therefore I think my pam works with ldap.
>
> You can back out revision 1.43 of auth/pam.c and pam_acct_mgmt()
> will not be called.
> [patch]
Thx for the patch - now it works.
Ciao,
Markus
--
A: Weil es die Lesbarkeit des Textes verschlechtert.
Q: Warum ist TOFU so schlimm?
A: TOFU
F: Was ist das groesste Aergerniss im Usenet?
____________________________________________________________
sudo-workers mailing list <sudo-workers at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-workers
More information about the sudo-workers
mailing list