'Re: [pamldap] system-auth: localuser, filter and pam_ldap'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] system-auth: localuser, filter and pam_ldap
From:       Jehan PROCACCIA <Jehan.Procaccia () int-evry ! Fr>
Date:       2002-10-21 13:26:11
[Download RAW message or body]

Nalin Dahyabhai a écrit :
> 
> On Tue, Oct 15, 2002 at 01:22:04PM +0200, Jehan PROCACCIA wrote:
> > Here I only changed the "account" management group, the auth stayed the
> > same , so auth works fine, it's on the permission to access the service
> > (login) that my pam_filter works on, so on the "account" management
> > group and not the auth one I guess ?. So when "account
> > user_unknown=ignore pam_ldap" is present, root logs in, pam_ldap might
> > return user_unknown, but then why the presence of pam_localuser allow
> > root to log in ...
> 
> The pam_localuser module allows root to log in because there's an entry
> for root in /etc/passwd.  The pam_filter should be used in the auth
> step, and that should be causing an unknown_user error to be returned by
> pam_ldap's auth function.  

for me the pam-filter is used by the account module !? not auth ?

> For authentication, pam_unix will succeed for
> root, so root should be able to authenticate properly, and for account
> management, pam_ldap should return unknown_user, which the configuration
> file indicates should be ignored, so root should again succeed.

Yes but if I remove account "pam_localuser" it doesn't succeed (while
LDap server is unreachable of course), even if "user_unknown=ignore" is
present in "account pam_ldap.so" module

$ssh root@localhost
LOGs:
Oct 21 11:20:23 corne PAM-warn[13563]: service: sshd [on terminal:
NODEVssh]
Oct 21 11:20:23 corne PAM-warn[13563]: user: (uid=0) -> root [remote:
?nobody@localhost.localdomain]
Oct 21 11:20:23 corne sshd[13563]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Oct 21 11:20:23 corne PAM-warn[13563]: service: sshd [on terminal:
NODEVssh]


But now, my second problem of /etc/ldap.conf ldap_filters is if I leave
"user_unknown=ignore" in account pam_ldap.so :
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
Here the filter in /etc/ldap.conf is:
pam_filter IntEPersInetServ=*unix-int*

and the entry for my test acount here does contain the *unix-int* string
in that personnal IntEPersInetServ attribute;

dn: uid=testciti,ou=People,dc=int-evry,dc=fr
IntEPersInetServ: unix-citi unix-int mail-int

su - testciti
oct 21 14:20:46 corne su(pam_unix)[15453]: session opened for user
testciti by procacci(uid=14503)

OK no problem.

Now I want to disable that tesciti account to connect on that machine by
removing his *unix-int* string in his IntEPersInetServ attribute

dn: uid=testciti,ou=People,dc=int-evry,dc=fr
IntEPersInetServ: unix-citi mail-int

Unfortunaltly he get connected with no problem !!??

LDAP LOGs for that connection do get the filter though !

Oct 21 14:22:49 servfax slapd[24530]: conn=15 op=0 BIND
dn="CN=MCIBIND,OU=SYSTEM,DC=INT-EVRY,DC=FR" method=128 
Oct 21 14:22:49 servfax slapd[24530]: conn=15 op=0 RESULT tag=97 err=0
text= 
Oct 21 14:22:49 servfax slapd[24540]: conn=15 op=1 SRCH
base="dc=int-evry,dc=fr" scope=2
filter="(&(IntEPersInetServ=*unix-int*)(uid=testciti))" 
Oct 21 14:22:49 servfax slapd[24540]: conn=15 op=1 SEARCH RESULT tag=101
err=0 text= 

Now I change the system-auth account pam_ldap module configuration by
removing "user_unknown=ignore" and the filter works  :-)  (the incorect
password isn't the right error message,anyway ...)

corne.int-evry.fr:/mci/mci/procacci>su - testciti 
Password: 
su: Mot de passe incorrect.

Any explaination on that ?

Is it a safe way to run system-auth this way:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account sufficient /lib/security/pam_localuser.so
#account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
account     [default=bad success=ok service_err=ignore
system_err=ignore] /lib/security/pam_ldap.so

> 
> For a user in your directory who has a readable-by-anyone userPassword
> attribute, pam_unix will authenticate successfully, bypassing pam_ldap
> and any of its authentication checks.  

You suggest here that it is pam_unix who allowed me to logging, my
userPAssword attribute has the following ACL

access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=admin,dc=int-evry,dc=fr" write
        by dn="cn=replicator,ou=System,dc=int-evry,dc=fr" write
        by dn="cn=mcibind,ou=system,dc=int-evry,dc=fr" read
        by * none

It is true that I have a binddn of
"cn=mcibind,ou=system,dc=int-evry,dc=fr" in my /etc/ldap.conf and hence
it get a read right on userPassword
all the mess comes from here ? I get completly lost now ...
What would help is a real debug (better than pam_warn) on this.
do you have a copy of pam_ldap sources with heavy debug in it ?

Thanks.

-- 
Jehan Procaccia
Institut National des Telecommunications| Email:
Jehan.Procaccia@int-evry.fr 
MCI, Moyens Communs Informatiques	| Tel  : +33 (0) 160764436 
9 rue Charles Fourier 91011 Evry France | Fax  : +33 (0) 160764321
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic