Re: openldap, pam_ldap, accounts

[David J N Begley <david@avarice.nepean.uws.edu.au>]

On Sat, 4 Dec 1999, Ben Collins wrote:

> On Sun, Dec 05, 1999 at 09:12:13AM +1100, David J N Begley wrote:
> > On Sat, 4 Dec 1999, Ben Collins wrote:
> > > The nss_ldap module will keep a "shadow-like" system by using a seperate
> > > file for binddn and bind password with correct perms (root.shadow 640).
> > 
> > Is this the suggested patch submitted recently for PADL's
> > nss_ldap/pam_ldap, or some Linux-specific hack?
> 
> Well since file perms aren't Linux specific, this is just general usage in
> nss_ldap (from looking over the latest version).

C'mon, you knew I was asking about the behaviour of checking a separate
file.  Looks like this is "the suggested patch", only recently added (November
20, nss_ldap v88).

> Basically, nss_ldap wont be able to get the password field unless it has
> enough perms to read the "secret" file that contains the bind dn and bind
> password.

As of nss_ldap v98 it looks like the bind DN still comes from the original
"/etc/ldap.conf" file and the new "/etc/ldap.secret" just contains the
password (no keywords, no comments, nothing else).

> So a sgid shadow (or suid root) application will give it this ability.

Either way, as you noted earlier one still needs pam_ldap in order to be able
to change passwords (using native PAM-ified tools, anyway).

Cheers..


dave