Hello list, I have two things about PAM, both are IMO solvable, but I'm all at sea with them: - suppression of messages about false authentication. When using multiple authencitation sources (typical scenario is several accounts in passwd/shadow files and majority of them in LDAP DB, first try against shadow), then practicaly at every authentication attempt I will get two entries in system logs - first about unsuccessful auth against passwd/shadow, second about successful auth against LDAP DB: Oct 8 15:15:26 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=bob rhost=10.0.0.5 user=bob Oct 8 15:15:26 mail auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=bob rhost=10.0.0.5 user=bob Is somehow possible suppress particular messages and log only final result for all PAM auth modules? For the most part I don't care which authentication module in stack report success, important is when user was authenticated or no. - second, is with PAM somehow possible migrate user passwords from one representation to other (when both forms are non-translateable by other way)? Concretely, I have passwords stored in LDAP DB in usual MD5 hash form, and want convert LDAP DB to passwd/shadow files where password are in salted SHA1 hash. I think (and I shall be happy when it isn't true) that isn't possible by any way convert MD5 passwords to SHA1 one. But PAM modules obviously have password in cleartext at hand, then there should be possible by some way, when pam_ldap module successfuly authenticate user, to other module take this password and store it to Unix auth files. This migration should be IMO perhaps easily (but I wasn't trying it) solved by arranging password management somehow as: password optional pam_unix.so password sufficient pam_ldap.so (assuming that i prepare other items in Unix auth files from LDAP DB). But in that manner password is updated only when user change it - which isn't good, some users never change it. Is there some way how update Unix password not at password change time, but at authentication time? Thanks in advance, Franta Hanzlik _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list