[Cooker] [Bug 4082] [chkauth] ldap auth setup incorrect (su segfault, objectclass=account

Sun, 06 Jul 2003 14:19:49 -0700 

http://qa.mandrakesoft.com/show_bug.cgi?id=4082


[EMAIL PROTECTED] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|[EMAIL PROTECTED]    |[EMAIL PROTECTED]
          Component|Installation                |chkauth
            Product|Installation                |chkauth
            Version|1.810                       |0.1-7mdk




------- Additional Comments From [EMAIL PROTECTED]  2003-06-07 23:17 -------
I tracked it down a bit further (with a reminder from Pixel about chkauth ..).

Anyway, the first problem (objectclass=account) is solved for new installs by
the current nss_ldap package.

Solving the second problem requires patching chkauth. As I understand, the order
of the auth lines needs to be changed to prevent the su segfault, and the order
of the password lines needs to be changed to allow local accounts not in LDAP to
change their passwords.

BTW, it seems pam_ldap does not support use_auth_tok, so
try_first_pass/use_first_pass must be used.

So, changing this bug to be against chkauth.

BTW, I can think of a number of features to add, (some from existing
functionaliy present in DrakX) to make chkauth a better backend, possibly with
some more features, but the effort could well be duplicated if it were to be
rewritten with libconf ...

One idea would be to add a switch for adding a pam_mkhomedir line, and pam_mount
might be another idea ...

Patch coming.

-- 
Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


------- Reminder: -------
assigned_to: [EMAIL PROTECTED]
status: NEW
creation_date: 
description: 
In the LDAP authentication setup in DrakX on 9.1, there are two small errors in
the LDAP configuration

1)pam_filter objectclass=account is used in /etc/ldap.conf, whereas
objectclass=posixAccont should be used (objectclass account is deprecated, and
not added by some tools even when openldap-2.0.x will allow it).

See:
http://www.mandrakesecure.net/en/docs/ldap-auth2.php#configclient
for an example config

2)pam_ldap listed before pam_unix in auth section of /etc/pam.d/system-auth.
This causes su to segfault for users in LDAP (among other things). pan_unix
should be listed first, then pam_ldap.

See
http://www.mandrakesecure.net/en/docs/ldap-auth2.php#pam
for an example config

Reply via email to