[lug] pam_ldap and passwd

dan radom dan at radom.org
Fri Apr 25 09:27:37 MDT 2003

I'm in the process of converting 6K users from NIS to LDAP, and I'm
struggling with pam_ldap and passwd.

auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

With the above pam configuration passwd prompts me for my current LDAP
password, which it then tells me is invalid.  If i remove the system-auth
"password    required      /lib/security/pam_deny.so" line it fails on my
current LDAP password 3 times, and then allows me to supply a new
password which does get updated to LDAP.

Has anyone seen anything like this before?  Any suggestions?



More information about the LUG mailing list