I looked at the pam.d/login modules for nss_ldap in redhat 6.2 and redhat 7.0. They both used a combination of pam_unix and pam_pwdb for authentication, (in fact the files are the same). Did you copy (or at least compare) the files from /usr/share/doc/nss_ldap-113/pam.d to your /etc/pam.d directory ? On Fri, 6 Oct 2000, Kelli Wolfe wrote: > After much caffeine, I have some answers. Red Hat 7.0 > changed the pam.d config files to use pam_unix rather > than pam_pwdb, which I had been using. The pam_unix > module is making a system call to get a user's password. > This system call is getting the LDAP passwords via > nss_ldap. So, even though the pam_ldap check fails, the > pam_unix succeeds because the encrypted password passes > the pam_unix test. > > So, to resolve this problem, I've gone back to using > pam_pwdb, as it appears to look at files directly rather > than making system calls. Not sure this is a good thing if you are using ldap for authentication. > Interesting, > Kelli > > -----Original Message----- > From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On > Behalf Of Kelli Wolfe > Sent: Thursday, October 05, 2000 8:37 AM > To: pam-list@redhat.com > Subject: Filter to AND with uid=%s > > > Hello, > > I thought I had limiting of machine access working, until I > started encrypting the passwords. I am using the following > in my /etc/ldap.conf file on the client machine that I want > to limit access to: > > # Filter to AND with uid=%s > pam_filter &(objectclass=account) (host=amitri.iw.mcld.net) > > If the user's password is clear text, I see this test in the > /var/log/ldap.log as I'm trying to log in: > > Oct 5 08:21:53 avalanche slapd[31216]: conn=809 op=1 SRCH > base="DC=MCLD,DC=NET" scope=2 > filter="(&(&(objectclass=ACCOUNT)(host=AMITRI.IW.MCLD.NET))(uid=KELLI))" > > If the password is encrypted, I never see this test in the > log file and the user can log into the box even though > they're not allowed. It appears that if the password is > encrypted, the filter isn't used. That strikes me as odd. > > Any thoughts would be great! > Kelli > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > ---------------- Running on Linux 2.4 Michael A. Dietz mad099@dietznet.net
