This may not really be a patch issue; but if not, I'm hoping that
somebody can help me out.
We're using a mix of local accounts and LDAP accounts. That is, there
are certain users who actually have entries in /etc/passwd and
/etc/shadow, and other users who have entries in LDAP but nothing
in /etc/passwd and /etc/shadow.
When one of the "local" users -- the ones in /etc/passwd and /etc/shadow --
logs in with an expired password, here's what happens:
mike@linux:~> ssh
maria@...
maria@...'s password: *****
ldap options:
servers: cisldap1.cuny.edu:389
user basedn: ou=people,dc=cuny,dc=edu
group basedn: ou=group,dc=cuny,dc=edu
binddn: uid=****,ou=people,dc=cuny,dc=edu
bindpw: ****
group: staff
Last login: Thu Jul 13 16:26:58 2006 from 172.16.16.154
WARNING: Your password has expired.
You must change your password now and login again!
passwd: Changing password for maria
Enter existing login password: *****
Permission denied
Connection to cunyweb3.cuny.edu closed.
Any idea what's afoot here? I'm thinking there's some kind of
patch connection because the "ldap options" section of the config file
puzzlingly gets spit out to the terminal, as you can see.
This is a Solaris 9 box, by the way. The relevant section of pam.conf
looks like this:
sshd auth sufficient /usr/local/lib/security/pam_ldap.so.1
sshd auth required pam_unix_auth.so.1 use_first_pass
sshd account sufficient pam_unix_account.so.1
sshd account sufficient /usr/local/lib/security/pam_ldap.so.1
sshd session required pam_unix_session.so.1
sshd password required pam_unix_auth.so.1
--
Michael J. Smith
mjs@...
_______________________________________________
Openssh-lpk mailing list
Openssh-lpk@...
http://www.opendarwin.org/mailman/listinfo/openssh-lpk
