Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
pam and ldap: root is required to change his passwd
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
slangdaddy
n00b
n00b


Joined: 17 Jul 2007
Posts: 73
Location: Braunschweig

PostPosted: Wed Sep 12, 2012 8:47 am    Post subject: pam and ldap: root is required to change his passwd Reply with quote

Hello,

I want to be able to login with my ldap credentials on my workstation and edited my nss and pam configuration accordingly to http://www.gentoo.org/doc/en/ldap-howto.xml .

I can login with ldap users via ssh and the terminal. When I try to login with my root account (which should bew local), I am prompted to immediately change my ldap password. I am afraid that the ldap authentication is used for my root account. That is not the desired behaviour.

SUDO'ing to root work without the prompt. Now the real problem is the creation of users or groups, i.e. emerging mysql fails while adding the group 'mysql'.

I believe this happens because at some point, pam tries to use ldap data for my root account, but I cannot determine the cause.

Here is me /etc/pam.d/system-auth

Code:
#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_unix.so try_first_pass likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so

account    sufficient   pam_ldap.so
account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow
password   sufficient   pam_ldap.so use_authtok use_first_pass
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_ldap.so



Any help is appreciated.
Back to top
View user's profile Send private message
slangdaddy
n00b
n00b


Joined: 17 Jul 2007
Posts: 73
Location: Braunschweig

PostPosted: Wed Sep 12, 2012 10:21 am    Post subject: Reply with quote

Nevermind, I think the problem is solved by changing the account rules to

Code:
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
account requisite                       pam_deny.so
account required                        pam_permit.so
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum