On Fri, May 04, 2007 at 06:19:34PM -0400, Roberto C. Sánchez wrote: > On Fri, May 04, 2007 at 02:49:40PM -0700, Steve Langasek wrote:
> > It means that pam_unix is able to access your shadow hash on behalf of the > > user, when using root privileges (which is expected and required in the case > > where you want to support password changes via pam_ldap); and that if > > pam_unix is listed first in common-auth before pam_ldap, that this is what > > is going to be done for all logins. > auth sufficient pam_ldap.so > auth sufficient pam_unix.so nullok_secure try_first_pass > So in my case, the shadow hash is not being accessed, correct? Correct. > I have "pam_password exop" in both /etc/pam_ldap.conf and > /etc/libnss-ldap.conf. So, AIUI, the hash is not leaving the server for > the password change. Correct? Sounds right, but I don't put passwords in LDAP so I'm not sure. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
