[sudo-workers] ldap and password

Brian L Farrell blfarrell at ra.rockwell.com
Mon Aug 23 09:01:39 EDT 2004


Since this is in the PAM code, did you check other account validations 
that may be required such as base UNIX or other validations that may be 
required in your environment?

The basic point is that it may not be LDAP that is causing the problem as 
with PAM you can stack authentication and validation procedures.   The 
pam_authenticate procedure is for the authentication such as password 
validation.  The pam_acct_mgmt verifies validity of the account.  It is 
this validity checking where you seem to be having problems.  In the pam 
configuration files the validity (pam_acct_mgmt calls) check the "account" 
lines in your pam configuration (/etc/pam.conf or /etc/pam.d/{sudo, or 
system-auth}) for what rules to follow. 

You indicated earlier that you were ok logging into ldap for mail.  Do you 
do host authentication and session validation with ldap as well?  If so 
can you log into the system using ssh or other tools?   Most likely sudo 
will follow similar authentication and sessions validation that a normal 
login does unless you configure PAM otherwise.

Brian Farrell

Markus Rennings <news at rennings.net>
Sent by: sudo-workers-bounces at courtesan.com
08/20/2004 04:24 PM

        To:     sudo-workers at sudo.ws
        Subject:        Re: [sudo-workers] ldap and password

Am Freitag, 20. August 2004 17:16 schrieb Todd C. Miller:

> > Ah, ok, but do you know any workaround? I have no expiration date in 
> > ldap, so I don't know why pam returns _EXPIRED. As I said in my last 
> > login works as expected - therefore I think my pam works with ldap.
> You can back out revision 1.43 of auth/pam.c and pam_acct_mgmt()
> will not be called.
> [patch]

Thx for the patch - now it works.


A: Weil es die Lesbarkeit des Textes verschlechtert.
Q: Warum ist TOFU so schlimm?
F: Was ist das groesste Aergerniss im Usenet?
sudo-workers mailing list <sudo-workers at sudo.ws>
For list information, options, or to unsubscribe, visit:

More information about the sudo-workers mailing list