[cups] authentication of Linux users against /etc/shadow *and* LDAP

Mike Sweet msweet at apple.com
Fri Sep 29 09:11:45 PDT 2017


You need to configure pam to do authentication - cups supports pam as well (make sure you have the pam development package installed)

Sent from my iPhone

> On Sep 29, 2017, at 2:23 AM, Matthias Apitz <guru at unixarea.de> wrote:
> 
>> El día Friday, September 29, 2017 a las 07:34:26AM +0200, Matthias Apitz escribió:
>> 
>>> El día jueves, septiembre 28, 2017 a las 01:31:40p. m. -0400, Michael Sweet escribió:
>>> 
>>> You want to update the /etc/nsswitch.conf file to tell the C library where to get the groups and users.
>>> 
>> 
>> Michael,
>> 
>> 
>> The file /etc/nsswitch.conf has:
>> 
>> passwd: compat ldap
>> group:  compat ldap
>> shadow: compat ldap
>> 
>> The C-call:
>> 
>>    spw = getspnam("sisis");
>>    endspent();
>>    printf("sisis: %s\n", spw->sp_pwdp);
>> 
>> looks first into the file /etc/shadow, where the given
>> user 'sisis' has no entry, and than chats
>> with the LDAP server, which does not deliver any hash of
>> the password and the spw->sp_pwdp is set to "*" (which makes the comparisation of
>> the hash of what the user provides as password in CUPS failing):
>> 
>> ...
> 
> While studying the problem deeper, I now understand, that
> 
> - a LDAP could (but should not for security reasons) be configured to
>  return the password hash of a given user;
> - even if it would return the hash, this could be completely
>  incompatible with any hashing format used in UNIX and CUPS.
> - the proper way would be authenticate the user against LDAP.
> 
>    matthias
> 
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://lists.cups.org/mailman/listinfo/cups


More information about the cups mailing list