[cups] authentication of Linux users against /etc/shadow *and* LDAP
Matthias Apitz
guru at unixarea.de
Thu Sep 28 23:23:06 PDT 2017
El día Friday, September 29, 2017 a las 07:34:26AM +0200, Matthias Apitz escribió:
> El día jueves, septiembre 28, 2017 a las 01:31:40p. m. -0400, Michael Sweet escribió:
>
> > You want to update the /etc/nsswitch.conf file to tell the C library where to get the groups and users.
> >
>
> Michael,
>
>
> The file /etc/nsswitch.conf has:
>
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
>
> The C-call:
>
> spw = getspnam("sisis");
> endspent();
> printf("sisis: %s\n", spw->sp_pwdp);
>
> looks first into the file /etc/shadow, where the given
> user 'sisis' has no entry, and than chats
> with the LDAP server, which does not deliver any hash of
> the password and the spw->sp_pwdp is set to "*" (which makes the comparisation of
> the hash of what the user provides as password in CUPS failing):
>
> ...
While studying the problem deeper, I now understand, that
- a LDAP could (but should not for security reasons) be configured to
return the password hash of a given user;
- even if it would return the hash, this could be completely
incompatible with any hashing format used in UNIX and CUPS.
- the proper way would be authenticate the user against LDAP.
matthias
More information about the cups
mailing list