ldapsource "x" hack results in "pam_acct_mgmt: 7" (Authentication failure)

[jaqx0r]

Original issue 26 created by jaqx0r on 2012-06-11T04:42:37.000Z:

What steps will reproduce the problem?

1. setup nsscache on debian squeeze

• with kerberos and unix pam modules (via pam-auth-update)
• with ldap nsscache source
• only syncing passwd and group
  1. nsscache update --full
  2. modify nsswitch.conf to include "passwd: files db"
  3. getent passwd

What is the expected output? What do you see instead?

• expected: passwd entries with a "*" in the password field
• actual: passwd entries with a "x" in the password field

What version of the product are you using? On what operating system?

• nsscache 0.21.17
• debian 6.0.5

Please provide any additional information below.

It seems "x" is sometimes wanted and "" other times, so this should be configurable in nsscache.conf. In my setup I'm using kerberos for auth and ldap for account information, and PAM apparently expects "" vs "x"... with "passwd: files ldap" I see "*".

Changing "x" to "*" here solves it:

• http://code.google.com/p/nsscache/source/browse/nsscache/nss_cache/sources/ldapsource.py# 488

[jaqx0r]

Comment #1 originally posted by jaqx0r on 2014-04-30T13:21:35.000Z:

Thanks to that comment that I probably wrote many years ago, there's no way to know why we used 'x' instead of '*'. I'm submitting the change; please try it out.

[jaqx0r]

Comment #2 originally posted by jaqx0r on 2014-04-30T13:21:43.000Z:

This issue was closed by revision 0fbbf2b6aa71.

[jaqx0r]

Comment #3 originally posted by jaqx0r on 2014-10-20T04:52:15.000Z:

This change was done in error. The documentation (passwd(5)) states that * marks locked accounts, and 'x' or other indicates that /etc/shadow should be used.

See # 35