From: ahaukin@hushmail.com
Date: Tue Sep 30 2003 - 14:24:10 EDT
Hi all
I have been following the instructions in man pam_ldap in an effort to
solve the problem of any user being able to see shadow file entries by
using the command:-
ldaplist -l passwd
An extract from my pam.conf now looks like this:-
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 try_first_pass
login auth required pam_dial_auth.so.1
and from nsswitch (old method commented out):-
#passwd: compat
#passwd_compat: ldap
passwd: ldap files
There are two problems with this:-
1. Anyone can log in if they have an account on the LDAP server. We like
to use netgroups to control who logs into which machine.
2. ldaplist -l passwd still reveals crypted passwords. I have what I
feel is the right ACLs on my userpassword entries, but clearly it isn't
working.
Could someone post a working ACL to me? I would summarise, of course.
Also if anyone knows of a way of getting netgroups and LDAP to work alongside
pam_ldap I'd also be grateful of a cluestick.
Thanks
Ahau K'in
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:27:12 EDT