[KLUG Members] pam_ldap and shadowLastChange

Adam Williams members@kalamazoolinux.org
Thu, 21 Feb 2002 11:21:22 -0500 (EST)

Previous message: [KLUG Members] Re: How do I display PDF files -- "nppdf.so" plugin
Next message: [KLUG Members] Meeting 2002-02-26 - Performance Tuning
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Last night Mr. Bartley asked about changing passwords with passwd via 
pam_ldap in regards to shadowLastChanged.   I added 
objectclass shadowAccount to my user object and changed my password via 
passwd,  and pam_ldap automatically added shadowlastchange.  I manually 
reduced the value of shadowlastchange and modified my password again,  and 
pam_ldap modified the value of the attribute.  Since it worked I 
cut-n-pasted the relevant (I think) bits of my config.

I did find in my stack of notes something about "early" versions on 
pam_ldap modifying userPassword correctly but rebinding anonymously in 
order to update shadowLastChange, which obviously won't work in any sane 
setup.  This is supposed to be fixed in recent PADL releases.

# rpm -q pam_ldap
pam_ldap-123-1
# rpm -q nss_ldap
nss_ldap-168-1

Relevent ACL:
-------------
access to userPassword,shadowLastChange
  by self write
  by domain=LITTLEBOY.morrison.iserv.net write
  by group/groupOfUniqueNames/uniquemember="cn=CIS Dept LDAP 
Data,ou=ACLGroups,o=Morrison Industries,c=US" write
  by dn="cn=nss,ou=System Accounts,o=Morrison Industries,c=US" write
  by * compare

/etc/ldap.conf:
---------------
host 192.168.1.9
base o=Morrison Industries,c=US
rootbinddn cn=nss,ou=System Accounts,o=Morrison Industries,c=US
pam_password crypt

/etc/ldap.secret contains the bind password for the rootbinddn password

/etc/pam.d/passwd
-----------------
#%PAM-1.0
auth       required	/lib/security/pam_stack.so service=system-auth
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth

/etc/pam.d/system-auth
----------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient     /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_ldap.so
account     required      /lib/security/pam_deny.so
password    sufficient    /lib/security/pam_ldap.so 
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

-- 
-----------------------------------------------------------
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS
-----------------------------------------------------------

"Certainly, we should hold individuals accountable for 
 what they did wrong, and we probably will punish some, 
 although many others will wiggle away, hiding behind the 
 skirts of high-priced lawyers and political connections. 
 But we shouldn't lose sight of the fact that they did 
 what they did because the current system allowed it. In 
 fact, the system encouraged it." 

 --"Ethics Matters" columnist Carlton Vogt, writing about 
 Enron.

Previous message: [KLUG Members] Re: How do I display PDF files -- "nppdf.so" plugin
Next message: [KLUG Members] Meeting 2002-02-26 - Performance Tuning
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]