Recently, i have hit a rather unique, and annoying, error with ldap. it seems that using pam with ldap, allows *any* password as valid. Im not really sure what i have done here, and any help would be apprecitaed. find my /etc/ldap.conf attached, as well as pam.d/ssh
etc/ldap.conf
base dc=chocolate,dc=lan
suffix dc=chocolate,dc=lan
uri ldap://ldap.chocolate.lan
ldap_version 3
scope sub
timelimit 3
bind_timelimit 3
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_groupdn cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan
pam_member_attribute memberUid
pam_password clear
pam_password exop
nss_base_passwd ou=Users,dc=chocolate,dc=lan?sub
nss_base_shadow ou=Users,dc=chocolate,dc=lan?sub
nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?sub
ssl on
ssl start_tls
tls_cacert /usr/local/etc/openldap/keys/cacert.crt
tls_checkpeer no
pam.d/sshd
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass
auth sufficient pam_unix.so no_warn try_first_pass
account required pam_nologin.so
account required pam_login_access.so
account optional pam_unix.so
account optional /usr/local/lib/pam_ldap.so
session required pam_permit.so
session optional /usr/local/lib/pam_ldap.so
password sufficient /usr/local/lib/pam_ldap.so no_warn use_athtok use_first_pass
password sufficient pam_unix.so no_warn try_first_pass