Date: Mon, 29 Aug 2005 15:22:19 +0200 From: Konstantin Saurbier <saurbier@math.uni-bielefeld.de> To: Adam Pordzik <adampordzik@gmx.de> Cc: ports@freebsd.org Subject: Re: security/pam_ldap - update to version 1.8.0 Message-ID: <20050829132217.GC7585@math.uni-bielefeld.de> In-Reply-To: <4311E680.3000903@gmx.de> References: <20050826121256.GB19571@math.uni-bielefeld.de> <4310E78B.8000209@gmx.de> <20050828141155.GA30926@math.uni-bielefeld.de> <4311E680.3000903@gmx.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Adam Pordzik wrote on Sun Aug 28, 2005 um 06:29:52PM: > Konstantin Saurbier wrote: >=20 > >>Since pam_unix.so grants access to everybody in account stage, pam_ldap > >>should be made "required" here, if you want PAM more than just _saying_ > >>"Access denied for this host". Hence a line >=20 > Perhaps pam_unix should be revised? Maybe, but i'm not able to do that. > >Good point. I fixed the patch, it's attached and can also be found at=20 > >http://www.math.uni-bielefeld.de/~saurbier/patches/pam_ldap.patch >=20 > Annot.: I olny tested it agains account with host-attribute set. > Does anyone tested it whether it works with some of the shadow > attribues like shadowExpire e.g.? Not me, I have no shadow in use. > with >=20 > password sufficient pam_ldap.so use_first_pass >=20 > and a similar patch agains /usr/src/usr.bin/passwd/passwd.c one can also > allow users changing thier password with passwd(1) >=20 > %diff -u passwd.c.orig passwd.c > --- /usr/src/usr.bin/passwd/passwd.c.orig Mon May 24 19:41:40 2004 > +++ /usr/src/usr.bin/passwd/passwd.c Tue Aug 31 18:03:00 2004 > @@ -121,8 +121,7 @@ > break; > default: > /* XXX: Green men ought to be supported via PAM. */ > - errx(1, > - "Sorry, `passwd' can only change passwords for local or NIS=20 > users."); > + fprintf(stderr, "Now you can change LDAP passwords via=20 > PAM\n"); > } >=20 > Of course to allow also root/administrators changing users passwords it > needs an apropriate "rootbinddn ..." in ldap.conf. >=20 > But I have to check that again, because chsh for LDAP accounts here creat= es > a local account instead of modifying the directory. Good idea, maybe you should send a PR. At least for passwd it would be=20 very helpful. In the meantime I send a PR for pam_ldap: http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/85435 Regards, Konstantin ------------------------------------------------------ Konstantin Saurbier Computerlabor Mathematik U5-138 Universitaet Bielefeld Universitaetsstr. 25 33501 Bielefeld email: saurbier@math.uni-bielefeld.de ------------------------------------------------------ --AqsLC8rIMeq19msA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDEwwIWkvQTx5k+y4RAsIkAKCCCheeTkrPemT0AQeG8RJtJFmU5gCfQ+Vv eUuglHd/73/iw9Je5lTmdmw= =HXy/ -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050829132217.GC7585>