Active Directory, sssd and pam_cracklib?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I'm in the process of testing out sssd on a CentOS 6 install using 
Active Directory for user authentication via sssd

All appears to be working fine - however, when I change a user password 
using 'passwd' (or at login when the account has expired etc), it 
appears pam_cracklib is being over-zealous with the new password 
requirements

Active Directory is set up with a password policy - but pam_cracklib 
(and may be other PAM modules?) have stronger password policies

So, I would like passwd to use the AD password requirements - and ignore 
any pam_cracklib requirements

The password settings in the system-auth and password-auth PAM config 
files are (as generated by authconfig):

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok 
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

If I comment out the pam_cracklib line (and remove 'use_authtok' from 
the other lines) - it appears to do what I want - but doesn't seem 
'correct' to me - i.e. what would happen if there were any local users 
defined on the system?

Does anyone have any suggestions on how PAM should be configured to 
allow password changes to 'honour' the Active Directory password policy 
requirements - but still impose requirements on non-AD users?

Thanks

James Pearson
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux