[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap and login


This is really a pam or pam_ldap issue, however, and this page might point you in a better direction.


See below...

Mike Brodbelt wrote:

Using OpenLDAP 2.0.23, I've got an LDAP directory set up, and I've
installed pam_ldap and nss_ldap on the machine. I've fiddled with the
PAM config files so that su/login/ftp/ssh/cron/passwd all work as
expected, on information stored in LDAP, but I've got one outstanding

The local /etc/passwd contains the root user account - this is the way I
want it, so at least root can log in and do stuff if LDAP isn't working.
However, I can't get it working so that root and LDAP users can change
passwords. However I change the /etc/pam.d/passwd file, I can get either
LDAP password changing working, or local, but not both. I want it to
attempt to change the password in LDAP first, and then fall back to
local password changing if the user doesn't exist in LDAP, but it won't

password sufficient pam_ldap.so
password required   pam_unix.so nullok obscure min=4 max=8 md5

You are missing "use_authtok".

About the above, I would probably have pam_unix before pam_ldap. What order you have the two (pam_ldap and pam_unix) should be the same for account/auth/password.

It might also be good to specify which Linux distribution and what version you are using next time...

For an user in LDAP, but not in /etc/passwd:-

[fred@nunki fred]$ passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for fred
passwd: password updated successfully

For root:-

[root@nunki pam.d]# passwd
passwd: Authentication information cannot be recovered

Any help would be much appreciated.