On Wed, 26 Nov 2008, Stricklin, Raymond J wrote:
> Again...
>
> After looking at the source (pam_ldap.c) I discovered that the pam_ldap
> documentation is a little misleading with regard to the equivalence of
> use_authtok and use_first_pass, so I decided to try tweaking pam.conf
> some more. I found that changing this:
>
> password sufficient pam_ldap.so use_authtok
>
> to this:
>
> password sufficient pam_ldap.so try_first_pass
>
> causes the "Old password:" prompt to appear just as it has been, only
> now authentication succeeds, and the forced password change works
> correctly without requiring 'pam_password crypt' set in /etc/ldap.conf.
>
> Can somebody who understands pam_ldap better than I do explain why that
> should have made the difference? Demonstrably, it works, but I am at a
> loss to explain why.
I thought "try_first_pass" told that PAM module to try using the password
already obtained by the previous module in the stack. I don't know what
use_authtok means though.
Andy
