ldaplist -l passwd again

From: ahaukin@hushmail.com
Date: Tue Sep 30 2003 - 14:24:10 EDT


Hi all

I have been following the instructions in man pam_ldap in an effort to
solve the problem of any user being able to see shadow file entries by
using the command:-

ldaplist -l passwd

An extract from my pam.conf now looks like this:-

login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 try_first_pass
login auth required pam_dial_auth.so.1

and from nsswitch (old method commented out):-

#passwd: compat
#passwd_compat: ldap
passwd: ldap files

There are two problems with this:-
1. Anyone can log in if they have an account on the LDAP server. We like
to use netgroups to control who logs into which machine.
2. ldaplist -l passwd still reveals crypted passwords. I have what I
feel is the right ACLs on my userpassword entries, but clearly it isn't
working.

Could someone post a working ACL to me? I would summarise, of course.
Also if anyone knows of a way of getting netgroups and LDAP to work alongside
pam_ldap I'd also be grateful of a cluestick.

Thanks

Ahau K'in

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers



This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:27:12 EDT