[Pkg-openldap-devel] Trying to build a summary on LDAP/Samba/PAM/... strangeness...
Steve Langasek
vorlon at debian.org
Tue May 15 10:07:17 UTC 2007
On Tue, May 15, 2007 at 11:43:18AM +0200, Marco Gaiarin wrote:
> Sorry for this mail, but i've experienced a bit with
> samba/smabldap-tools/ldap/pam... with sarge, and now, migrating to
> edgy, i'm triying to do some cleanup.
Did you mean to write 'etch' here instead of 'edgy'? Otherwise, you seem to
be contacting the wrong people for support.
> All start from this:
> http://wiki.debian.org/PAMLDAPSetup
> [WOW! libpam_ldap are not needed, cool!!!].
While it's not *needed*, there is a difference in how pam_unix and pam_ldap
will each access the user's record for authentication, and pam_ldap arguably
is more secure in how it does so.
> After fiddling a bit with all this stuff i've found the culprit: if in
> smbldap-tools i put hash_encrypt to something different from "CRYPT"
> (and i think CLEARTEXT, but clearly it is not the case ;) login are
> impossible.
Yes, pam_unix will only work for authentication if it can retrieve a
password hash for the user, via NSS, that's understood by the system's
crypt() routine. (That includes md5 hashes and a few others, but doesn't
include passwords with LDAP's prepended hash tags.)
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
More information about the Pkg-openldap-devel
mailing list