[Pkg-openldap-devel] Trying to build a summary on LDAP/Samba/PAM/... strangeness...

Steve Langasek vorlon at debian.org
Tue May 15 10:07:17 UTC 2007


On Tue, May 15, 2007 at 11:43:18AM +0200, Marco Gaiarin wrote:

> Sorry for this mail, but i've experienced a bit with
> samba/smabldap-tools/ldap/pam... with sarge, and now, migrating to
> edgy, i'm triying to do some cleanup.

Did you mean to write 'etch' here instead of 'edgy'?  Otherwise, you seem to
be contacting the wrong people for support.

> All start from this:

> 	http://wiki.debian.org/PAMLDAPSetup

> [WOW! libpam_ldap are not needed, cool!!!].

While it's not *needed*, there is a difference in how pam_unix and pam_ldap
will each access the user's record for authentication, and pam_ldap arguably
is more secure in how it does so.

> After fiddling a bit with all this stuff i've found the culprit: if in
> smbldap-tools i put hash_encrypt to something different from "CRYPT"
> (and i think CLEARTEXT, but clearly it is not the case ;) login are
> impossible.

Yes, pam_unix will only work for authentication if it can retrieve a
password hash for the user, via NSS, that's understood by the system's
crypt() routine.  (That includes md5 hashes and a few others, but doesn't
include passwords with LDAP's prepended hash tags.)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/



More information about the Pkg-openldap-devel mailing list