Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - General
User Name
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.


  Search this Thread
Old 07-27-2004, 04:54 PM   #1
LQ Newbie
Registered: Dec 2003
Posts: 2

Rep: Reputation: 0
OpenLDAP, nss_ldap, pam_ldap and shadow account info

I am about to put a new LDAP server into production and found that the shadow account information is not being used from the LDAP server. I need to limit the life of a users passwords and provide warning when the password is close to expiration. I have added objectClass: shadowAccount and updated shadowMax, shadowMin, shadowInactive, and shadowWarning for all users in the LDAP database. I am using nss_ldap with /etc/nsswitch.conf as follows:

passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns ldap
services: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
automount: files ldap
aliases: files
sendmailvars: files
netgroup: files nis

I have set up /etc/pam.d/system-auth with pam_ldap:

auth required /lib/security/
auth sufficient /lib/security/ likeauth nullok
auth sufficient /lib/security/ use_first_pass
auth required /lib/security/

account sufficient /lib/security/
account sufficient /lib/security/

password required /lib/security/ retry=3
password sufficient /lib/security/ nullok use_authtok md5 shadow
password sufficient /lib/security/ use_authtok
password required /lib/security/

session required /lib/security/
session required /lib/security/
session optional /lib/security/

If I run the command 'getent shadow', only the local users show up with shadow data though the LDAP users are shown:


Does nss_ldap and/or pam_ldap support shadow account info to limit password life? Is there something else I need to do to get shadow info to work properly?

Old 08-14-2004, 02:21 PM   #2
LQ Newbie
Registered: Aug 2004
Posts: 1

Rep: Reputation: 0
Did you get very far with this? We found (OpenLDAP 2.0.23, libpam-ldap 0.72) that it only worked when you selected the CRYPT scheme on the LDAP server - you need to regenerate all the passwords too.
Old 08-16-2004, 08:13 AM   #3
LQ Newbie
Registered: Dec 2003
Posts: 2

Original Poster
Rep: Reputation: 0
Actually, SSHA was not a problem... though I did end up using CRYPT because our SGI IRIX boxes wouldn't except SSHA.

The problem ended up being that rootbinddn and ACLs needed to be set up for its access to the shadow fields. Basically it is root that needs access to the information so it can set up the shadow info on the system.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Moving user account info to a new server - advice please. Seventh Linux - Newbie 2 03-09-2005 09:38 AM
how to install pam_ldap? mel82 Slackware - Installation 1 02-18-2005 01:21 PM
/etc/shadow- (notice the dash after the word shadow) shellcode Linux - Security 1 09-03-2004 04:54 AM
need help for pam_ldap!!! ahshin Linux - Networking 0 10-08-2003 07:40 PM
PAM_LDAP and eDirectory Trucker Linux - Networking 2 02-25-2003 02:25 AM > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 11:46 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration