After much caffeine, I have some answers. Red Hat 7.0 changed the pam.d config files to use pam_unix rather than pam_pwdb, which I had been using. The pam_unix module is making a system call to get a user's password. This system call is getting the LDAP passwords via nss_ldap. So, even though the pam_ldap check fails, the pam_unix succeeds because the encrypted password passes the pam_unix test. So, to resolve this problem, I've gone back to using pam_pwdb, as it appears to look at files directly rather than making system calls. Interesting, Kelli -----Original Message----- From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On Behalf Of Kelli Wolfe Sent: Thursday, October 05, 2000 8:37 AM To: pam-list@redhat.com Subject: Filter to AND with uid=%s Hello, I thought I had limiting of machine access working, until I started encrypting the passwords. I am using the following in my /etc/ldap.conf file on the client machine that I want to limit access to: # Filter to AND with uid=%s pam_filter &(objectclass=account) (host=amitri.iw.mcld.net) If the user's password is clear text, I see this test in the /var/log/ldap.log as I'm trying to log in: Oct 5 08:21:53 avalanche slapd[31216]: conn=809 op=1 SRCH base="DC=MCLD,DC=NET" scope=2 filter="(&(&(objectclass=ACCOUNT)(host=AMITRI.IW.MCLD.NET))(uid=KELLI))" If the password is encrypted, I never see this test in the log file and the user can log into the box even though they're not allowed. It appears that if the password is encrypted, the filter isn't used. That strikes me as odd. Any thoughts would be great! Kelli _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
