tags 579574 + pending thanks On Wed, 2010-04-28 at 20:05 +0200, Petter Reinholdtsen wrote: > I noticed this when comparing the libpam-heimdal setup with the > libpam-ldapd setup for pam-auth-update. The kerberos module is set up > to only authenticate users with uid >= 1000, which seem like a > sensible thing to do. The root user for example should only be > allowed to log in using a local password.
I think this is a good idea and a good default configuration for the Debian package. I have implemented this in the development version [0]. Thanks for pointing this out. I have also been thinking about putting this filter a little higher, instead of only in the PAM module also for other lookups (implementing it in nslcd). This could be implemented with a custom search filter: (&(objectClass=posixAccount)(uidNumber>=1000)) except that uidNumber, although being defined as in integer, is not orderable in the standard LDAP schema (RFC2307) [1]. This seems to be fixed in the proposed changes for that document [2], although I don't know if that is still moving forward and when it will be implemented. Perhaps filtering in nslcd itself could also be implemented, filtering out user search results with a too low uid. [0] http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1082 [1] http://www.ietf.org/rfc/rfc2307.txt [2] http://tools.ietf.org/id/draft-howard-rfc2307bis-02.txt -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
