Above might suggest a configuration that fixes this: check ldap first in common-auth, which currently does:
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
That should not be a default (having ldap first) but could be a better workaround than setuid unix_chkpwd ?
Some reference (marked as WONTFIX) /bugzilla. redhat. com/show_ bug.cgi? id=638279
https:/
Above might suggest a configuration that fixes this: check ldap first in common-auth, which currently does:
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
That should not be a default (having ldap first) but could be a better workaround than setuid unix_chkpwd ?