Package: libpam-ldapd
Version: 0.7.13
Severity: wishlist
It's a little confusing at the moment why local users are prompted for an LDAP
password if you have specified ignore_unknown_user within your passwd
PAM configuration:
password sufficient pam_ldap.so debug ignore_unknown_user use_authtok
password required pam_unix.so sha512 obscure min=8 use_authtok
You are still prompted for an ldap password:
localuser@hostname:/tmp$ passwd
(current) LDAP Password:
The problem seems to be in the pam_sm_chauthtok() function. I have
created a pseudo-code patch because I'm unsure how to best solve this
problem.
--- pam/pam.c 2010-09-24 00:07:17.000000000 -0700
+++ pam/pam.usercheck.c 2011-03-08 17:50:18.000000000 -0800
@@ -536,6 +536,9 @@
/* we already have an old password stored (from a previous
authentication phase) so we'll use that */
oldpassword=ctx->oldpassword;
+ else if (!nslcd_user_exists(username) && cfg->ignore_unknown_user) {
+ return PAM_IGNORE;
+ }
else
{
rc=pam_get_authtok(pamh,PAM_OLDAUTHTOK,(const char
**)&oldpassword,"(current) LDAP Password: ");
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (900, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-ldapd depends on:
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
ii nslcd 0.7.13 Daemon for NSS and PAM lookups usi
libpam-ldapd recommends no packages.
libpam-ldapd suggests no packages.
-- debconf information:
libpam-ldapd/enable_shadow: true
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]