Roland Gruber <[EMAIL PROTECTED]> writes:
> Hi Stephan,
>
> Brian May schrieb:
>> If I use the "Invalid Password" option in the "Unix" section of a user,
>> I get a password of *. This is not invalid. pam_ldap accepts the
>> password fine and allows the user to log in. Perhaps that means the
>> fault is with pam_ldap, not sure.
>
> can you tell me why pam-ldap accepts a "*" as password? Should LDAP
> accounts not be formated just like accounts in /etc/(passwd|shadow)?
A userPassword value is assumed to be hashed only if prefixed with a
hashing mechanism name like "{CRYPT}"; otherwise it is assumed to be a
plaintext, non-encrypted password (see RFC 2256 section 5.36).
> How do I disable an account, setting no userPassword attribute at all?
Either delete all userPassword values, or insert "*" after the
"{CRYPT}" prefix, e.g. replacing "{CRYPT}GIB0bxS41gacQ" with
"{CRYPT}*GIB0bxS41gacQ" (examples shown raw, not in Base64).
> When I set a user password which starts with "*" then "getent shadow"
> shows me an "x" in the password field.
libnss-ldap ignores all userPassword values not prefixed with
"{CRYPT}", i.e. not hashed according to the /etc/shadow convention.
Thanks,
Matej
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
