tag 380078 +moreinfo
thanks
Since version 246, a change has been made to libnss_ldap, whose
functions getspnam() and getspnam_r() now return "*" instead
of "x" previously, in the sp_pwdp member of a spwd struct.
Yes, and no... it did change behaviour of passwd entries if the
account does not have the objectclass shadowAccount - it didn't
(or wasn't supposed to) change shadow entries.
For example, my account has shadowAccount:
#getent passwd cowboy
cowboy:x:2000:2000:Nelson; Richard A (Rick) ....
#getent shadow cowboy
cowboy:*:14053:0:90:30:30::0
And the proxy-auth account doesn't:
#getent passwd proxy
proxy:*:13:13:Remote ldap authentication:/dev/null:/usr/sbin/nologin
#getent shadow proxy
proxy:*:13322:0:99999:7:::
Or is that what you meant by your follow-on msg:
Of course, this only happens in the case /etc/shadow cannot be read,
and thus the password cannot be retrieved, which is the case for most
users.
libnss-ldap doesn't actually do anything with /etc/shadow.
The background for this is change in behaviour can be found here:
http://bugzilla.padl.com/show_bug.cgi?id=240
My setup doesn't even return userPassword to root ldap queries - so I
use pam_ldap for its bind-auth ... which is why my shadow entry above
has *
Can you provide more information on what you're trying to do, and the
problems you have ?
--
Rick Nelson
"We all know Linux is great...it does infinite loops in 5 seconds."
(Linus Torvalds about the superiority of Linux on the Amsterdam
Linux Symposium)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
