[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: Re: [pamldap] system-auth: localuser, filter and pam_ldap
From: Jehan PROCACCIA <Jehan.Procaccia () int-evry ! Fr>
Date: 2002-10-21 13:26:11
[Download RAW message or body]
Nalin Dahyabhai a écrit :
>
> On Tue, Oct 15, 2002 at 01:22:04PM +0200, Jehan PROCACCIA wrote:
> > Here I only changed the "account" management group, the auth stayed the
> > same , so auth works fine, it's on the permission to access the service
> > (login) that my pam_filter works on, so on the "account" management
> > group and not the auth one I guess ?. So when "account
> > user_unknown=ignore pam_ldap" is present, root logs in, pam_ldap might
> > return user_unknown, but then why the presence of pam_localuser allow
> > root to log in ...
>
> The pam_localuser module allows root to log in because there's an entry
> for root in /etc/passwd. The pam_filter should be used in the auth
> step, and that should be causing an unknown_user error to be returned by
> pam_ldap's auth function.
for me the pam-filter is used by the account module !? not auth ?
> For authentication, pam_unix will succeed for
> root, so root should be able to authenticate properly, and for account
> management, pam_ldap should return unknown_user, which the configuration
> file indicates should be ignored, so root should again succeed.
Yes but if I remove account "pam_localuser" it doesn't succeed (while
LDap server is unreachable of course), even if "user_unknown=ignore" is
present in "account pam_ldap.so" module
$ssh root@localhost
LOGs:
Oct 21 11:20:23 corne PAM-warn[13563]: service: sshd [on terminal:
NODEVssh]
Oct 21 11:20:23 corne PAM-warn[13563]: user: (uid=0) -> root [remote:
?nobody@localhost.localdomain]
Oct 21 11:20:23 corne sshd[13563]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Oct 21 11:20:23 corne PAM-warn[13563]: service: sshd [on terminal:
NODEVssh]
But now, my second problem of /etc/ldap.conf ldap_filters is if I leave
"user_unknown=ignore" in account pam_ldap.so :
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
Here the filter in /etc/ldap.conf is:
pam_filter IntEPersInetServ=*unix-int*
and the entry for my test acount here does contain the *unix-int* string
in that personnal IntEPersInetServ attribute;
dn: uid=testciti,ou=People,dc=int-evry,dc=fr
IntEPersInetServ: unix-citi unix-int mail-int
su - testciti
oct 21 14:20:46 corne su(pam_unix)[15453]: session opened for user
testciti by procacci(uid=14503)
OK no problem.
Now I want to disable that tesciti account to connect on that machine by
removing his *unix-int* string in his IntEPersInetServ attribute
dn: uid=testciti,ou=People,dc=int-evry,dc=fr
IntEPersInetServ: unix-citi mail-int
Unfortunaltly he get connected with no problem !!??
LDAP LOGs for that connection do get the filter though !
Oct 21 14:22:49 servfax slapd[24530]: conn=15 op=0 BIND
dn="CN=MCIBIND,OU=SYSTEM,DC=INT-EVRY,DC=FR" method=128
Oct 21 14:22:49 servfax slapd[24530]: conn=15 op=0 RESULT tag=97 err=0
text=
Oct 21 14:22:49 servfax slapd[24540]: conn=15 op=1 SRCH
base="dc=int-evry,dc=fr" scope=2
filter="(&(IntEPersInetServ=*unix-int*)(uid=testciti))"
Oct 21 14:22:49 servfax slapd[24540]: conn=15 op=1 SEARCH RESULT tag=101
err=0 text=
Now I change the system-auth account pam_ldap module configuration by
removing "user_unknown=ignore" and the filter works :-) (the incorect
password isn't the right error message,anyway ...)
corne.int-evry.fr:/mci/mci/procacci>su - testciti
Password:
su: Mot de passe incorrect.
Any explaination on that ?
Is it a safe way to run system-auth this way:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_localuser.so
#account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
account [default=bad success=ok service_err=ignore
system_err=ignore] /lib/security/pam_ldap.so
>
> For a user in your directory who has a readable-by-anyone userPassword
> attribute, pam_unix will authenticate successfully, bypassing pam_ldap
> and any of its authentication checks.
You suggest here that it is pam_unix who allowed me to logging, my
userPAssword attribute has the following ACL
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=int-evry,dc=fr" write
by dn="cn=replicator,ou=System,dc=int-evry,dc=fr" write
by dn="cn=mcibind,ou=system,dc=int-evry,dc=fr" read
by * none
It is true that I have a binddn of
"cn=mcibind,ou=system,dc=int-evry,dc=fr" in my /etc/ldap.conf and hence
it get a read right on userPassword
all the mess comes from here ? I get completly lost now ...
What would help is a real debug (better than pam_warn) on this.
do you have a copy of pam_ldap sources with heavy debug in it ?
Thanks.
--
Jehan Procaccia
Institut National des Telecommunications| Email:
Jehan.Procaccia@int-evry.fr
MCI, Moyens Communs Informatiques | Tel : +33 (0) 160764436
9 rue Charles Fourier 91011 Evry France | Fax : +33 (0) 160764321
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic