[BBLISA] OpenDir, passwd, LDAP and Linux: Oh my!

Sean OMeara someara at gmail.com
Mon Dec 3 16:17:49 EST 2007 

Pam doesn't work like that... an application (pam)'s ldap auth looks like:
"if you can successfully do a simple bind to the ldap server with the
username/password pair, return yes."

The only time pam_ldap needs to worry about the actual attribute the
password is stored in is when doing a password change.
(and according to the source, it uses userPassword for every instance
except case PASSWORD_AD, where it uses unicodePwd)

The line of thinking is still sorta valid, but the details are different...
The same object attribute (userPassword) could contain different
values across different ldap servers....
It could be possible that a user changing his password makes an update
on the master, but the change hasn't found its way to a slave (where
the client is trying to do authentication to), but that would result
in erratic behavior instead of the consistent "both password work"
symptoms....

-s

On Dec 3, 2007 3:54 PM, Grant Young <grant at toaster-repair.com> wrote:
> Perhaps the OpenDir is storing both hashes.  One might be a MD5 hash,
> for example, and the other would be a CRYPT hash.  I don't think
> there's a technical reason LDAP can't store multiple entries and the
> default behavior of PAM might be to check all available.
>
>
> On Dec 3, 2007, at 3:06 PM, Edward Ned Harvey wrote:
>
> > Hi all.  I have Apple Xserve with Open Dir running.  I have
> > presently ldap
> > client running on linux for authentication.  Here's the strange thing:
> >
> > When a user uses "passwd" in linux, changes his/her password, *both*
> > the new
> > and old password still work!
> >
> > I tried looking in /etc/{passwd,shadow,group,gshadow} to see if
> > there's some
> > new entry there.  Nope.
> >
> > I tried rebooting the client.  No change.
> >
> > I did not try rebooting the server (people using it.)
> >
> > I double-checked /etc/nsswitch.conf:
> >       passwd:     files ldap
> >       shadow:     files ldap
> >       group:      files ldap
> >
> > And here's one more clue:
> >       Suppose my initial password is pass1
> >       And then I change password to pass2.  Now "pass1" and "pass2" both
> > work.
> >       And then I change password to pass3.  Now "pass1" and "pass3" both
> > work, but not "pass2"
> >
> > Any suggestions?
> >
> > _______________________________________________
> > bblisa mailing list
> > bblisa at bblisa.org
> > http://www.bblisa.org/mailman/listinfo/bblisa
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>

More information about the bblisa mailing list