Void's Forums

by **X11** » Thu Jun 14, 2007 10:10 am

I need to get inside pam to find out why dovecot (which authenticates with pam) is causing problems for an account. Basically the account is being told it has expired, and I have no idea how to change this. I think pam uses ldap from what the old admin has passed on to me, however his english is difficult to read.

I have worked out the console based ldap administration tools well, and I simply don't see any data that could be used to set an expiry. It might be more complicated.

by **Void Main** » Thu Jun 14, 2007 11:16 am

What's in your /etc/pam.d/dovecot file?

by **X11** » Thu Jun 14, 2007 12:19 pm

Code: Select all: [root@pusa3 ~]# cat /etc/pam.d/dovecot #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth

by **Void Main** » Thu Jun 14, 2007 2:01 pm

And what does your /etc/pam.d/system-auth file contain? It looks to me like it's just doing normal authentication against the system. Did you try resetting the user's password on the Linux server?

by **X11** » Fri Jun 15, 2007 1:12 am

Code: Select all: [root@pusa3 ~]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

I'm going to man authconfig.

by **Void Main** » Fri Jun 15, 2007 3:17 am

Looks like you have it set up to allow login to your system or applications (including dovecot) using your local UNIX system account/password OR your ldap passwd. You should be able to use either. So I would be curious if you set the user's local UNIX password (# passwd username) if they can log in. Then it's a question of setting changing their ldap password. It's very late and I have to crash but I'll dig deeper into the ldap pam module tomorrow. I've not personally used ldap for authentication directly so I would have to dig a little on the ldap module.

by **Void Main** » Fri Jun 15, 2007 8:22 am

Found a couple of docs:
http://ldots.org/ldap/
http://imaginator.com/~simon/ldap/
http://mleahu.web.cern.ch/mleahu/doc/un ... 0Linux.htm
http://www.howtoforge.com/linux_ldap_authentication

How do your users currently change their LDAP passwords?

by **X11** » Fri Jun 29, 2007 8:17 pm

Currently they use "User Manager for Domains" which is some tool for Windows XP that does not like samba.

He can still login to the NT domain but for some reason according to PAM, which dovecot uses, his account has expired. Samba uses ldap for authentication.

Changing the password with passwd does not seem to help either. Dovecot tells the IMAP clients that the password is incorrect, and tells /var/log/messages the account has expired...

Code: Select all: Jun 30 12:15:00 pusa3 dovecot(pam_unix)[22296]: account master.yi has expired (account expired)

by **Void Main** » Fri Jun 29, 2007 9:05 pm

It looks like his local Linux accounts are set up for password expiration and this account's password has expired. Not the ldap account but the local /etc/passwd account. I would assume if you tried to log directly into the Linux box as that user you would not be allowed because his password has expired.

What does the output of this give you:

# passwd -S username

Have you tried resetting his local password?

# passwd username

You might also have to unlock the account:

# passwd -u username

If that indeed is what the problem is you would probably want to turn off password expiration since you are using ldap passwords. What does this user's entry look like in /etc/shadow? See this:

http://db.ilug-bom.org.in/Documentation ... rmats.html

and this:

http://tldp.org/HOWTO/Shadow-Password-HOWTO-7.html

Void's Forums

I know nothing about pam!

I know nothing about pam!

Who is online