[KLUG Members] pam_ldap and shadowLastChange
Adam Williams
members@kalamazoolinux.org
Thu, 21 Feb 2002 11:21:22 -0500 (EST)
Last night Mr. Bartley asked about changing passwords with passwd via
pam_ldap in regards to shadowLastChanged. I added
objectclass shadowAccount to my user object and changed my password via
passwd, and pam_ldap automatically added shadowlastchange. I manually
reduced the value of shadowlastchange and modified my password again, and
pam_ldap modified the value of the attribute. Since it worked I
cut-n-pasted the relevant (I think) bits of my config.
I did find in my stack of notes something about "early" versions on
pam_ldap modifying userPassword correctly but rebinding anonymously in
order to update shadowLastChange, which obviously won't work in any sane
setup. This is supposed to be fixed in recent PADL releases.
# rpm -q pam_ldap
pam_ldap-123-1
# rpm -q nss_ldap
nss_ldap-168-1
Relevent ACL:
-------------
access to userPassword,shadowLastChange
by self write
by domain=LITTLEBOY.morrison.iserv.net write
by group/groupOfUniqueNames/uniquemember="cn=CIS Dept LDAP
Data,ou=ACLGroups,o=Morrison Industries,c=US" write
by dn="cn=nss,ou=System Accounts,o=Morrison Industries,c=US" write
by * compare
/etc/ldap.conf:
---------------
host 192.168.1.9
base o=Morrison Industries,c=US
rootbinddn cn=nss,ou=System Accounts,o=Morrison Industries,c=US
pam_password crypt
/etc/ldap.secret contains the bind password for the rootbinddn password
/etc/pam.d/passwd
-----------------
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
/etc/pam.d/system-auth
----------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_deny.so
password sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
--
-----------------------------------------------------------
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS
-----------------------------------------------------------
"Certainly, we should hold individuals accountable for
what they did wrong, and we probably will punish some,
although many others will wiggle away, hiding behind the
skirts of high-priced lawyers and political connections.
But we shouldn't lose sight of the fact that they did
what they did because the current system allowed it. In
fact, the system encouraged it."
--"Ethics Matters" columnist Carlton Vogt, writing about
Enron.