[Bug 329067] Re: Cannot change password on ldap client unless libpam-cracklib also installed
Robert McQueen
robot101 at debian.org
Wed Nov 18 15:41:27 GMT 2009
I'd like to confirm this bug too with libpam-ldap 184-4.2ubuntu2 on
Jaunty. I had the following configuration generated by pam-auth-update:
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore
default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
I believe that pam_unix doesn't recognise the account as it's stored in
ldap - it has no shadow entry, so doesn't prompt for an authtok (ie new
password), then pam_ldap fails because it's trying to use the authtok
which has not been set:
Enter login(LDAP) password:
passwd: Authentication information cannot be recovered
passwd: password unchanged
Removing the use_authtok therefore also fixes it for me, and also
explains why pam_cracklib hides the problem - its higher in the stack
and sets the authtok after checking it for strength. Ultimately I guess
"try_authtok" would be the right semantic to work in both situations.
--
Cannot change password on ldap client unless libpam-cracklib also installed
https://bugs.launchpad.net/bugs/329067
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libpam-ldap in ubuntu.
More information about the Ubuntu-server-bugs
mailing list