ldaplist -l passwd again

ahaukin_at_hushmail.com
Date: 09/30/03

Next message: Sudhakar: "SUMMARY: NFS issue"

Previous message: egold_at_fsa.com: "SUMMARY: What is the best way to give a user no-access to a directory?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 30 Sep 2003 11:24:10 -0700
To: sunmanagers@sunmanagers.org

Hi all

I have been following the instructions in man pam_ldap in an effort to
solve the problem of any user being able to see shadow file entries by
using the command:-

ldaplist -l passwd

An extract from my pam.conf now looks like this:-

login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 try_first_pass
login auth required pam_dial_auth.so.1

and from nsswitch (old method commented out):-

#passwd: compat
#passwd_compat: ldap
passwd: ldap files

There are two problems with this:-
1. Anyone can log in if they have an account on the LDAP server. We like
to use netgroups to control who logs into which machine.
2. ldaplist -l passwd still reveals crypted passwords. I have what I
feel is the right ACLs on my userpassword entries, but clearly it isn't
working.

Could someone post a working ACL to me? I would summarise, of course.
Also if anyone knows of a way of getting netgroups and LDAP to work alongside
pam_ldap I'd also be grateful of a cluestick.

Thanks

Ahau K'in

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

Next message: Sudhakar: "SUMMARY: NFS issue"

Previous message: egold_at_fsa.com: "SUMMARY: What is the best way to give a user no-access to a directory?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: [PHP] Php coding help - Newbie question
... > I am having a site in PHP which I need to ... > The site deals with modifying / adding / deleting entries in a LDAP dir. ... > user's login & passwd. ... I don't see any reason to store the passwd and validate against ldap on ...
(php.general)
! bad user in /var/cron/log
... Googling around, I've seen this mentioned with *LK* accounts, but this is ... the password for the user ldap has been set before the issue appeared. ... $ grep passwd /etc/nsswitch.conf ... If you are not the intended recipient be aware that any ...
(SunManagers)
SunDS as authentication repository
... I'm using SunDS 6.3 as authentication repository and I successfully configured a Sol10U5 as ldap client. ... Is it possible for root to change ldap user passwords without ... inserting the old password by using the "passwd" command? ... password successfully changed for utentest ...
(comp.unix.solaris)
LDAP passwords not working / sol 9
... Having run /etc/sbin/directoryserver and idsconfig to configure an LDAP ... service on Solaris 9 and managed to import some data (passwd, shadow, group ...
(SunManagers)