On Wed, 2011-06-08 at 16:35 -0700, Steve Langasek wrote:
> That's only an issue if LDAP provides a password entry with 'x' for the
> password field (which denotes a shadow account), *and* does not provide
> shadow information.  That's a misconfigured nss_ldap, nothing more.

Thanks for pointing that out. It seems that current nss-pam-ldapd
provides 'x' as a password when the shadowAccount objectclass is
present. It should also probably check if shadow is configured
in /etc/nsswitch.conf is present.

> To me, that sounds like feature creep in pam_ldap.  I don't see any reason
> for pam_ldap to check account expiry when pam_unix was doing that already.

It could be handy with certain PAM configurations. Sadly, there are a
lot of ways to achieve basically the same thing with PAM.

> Incorrect.  pam_unix as an 'account' module will return PAM_NEW_AUTHTOK_REQD
> when a password change is required.

Then I think there is either a bug in the documentation or in pam_unix.
The shadow(5) manual page says (on account expiration date):

  Note that an account expiration differs from a password expiration. In
  case of an acount expiration, the user shall not be allowed to login.
  In case of a password expiration, the user is not allowed to login
  using her password.

I've just tested it with libpam-modules 1.1.3-1 and it seems that
pam_unix tries to lock out the user on password expiration (not account
expiration). This means that a user is not able to log in (for example
using SSH key-based authentication) with an expired password.

-- 
-- arthur - [email protected] - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to