[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Pam password authentication

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Pam password authentication
From: Siddhartha Jain <sjain@silverspringnet.com>
Date: Sat, 5 Jun 2010 14:52:10 -0700
Accept-language: en-US
Acceptlanguage: en-US
Content-language: en
In-reply-to: <C3CE6AD1-488E-41D1-958C-29AAEA6A48D6@internode.on.net>
Thread-index: AcsEuAb/ucR9KPCfS9GrbPUbMjmyHwAQVIwv
Thread-topic: Pam password authentication

Title: Re: Pam password authentication

I came across a similar bug where enabling chaining between a master and slave allows invalid passwords to be accepted by pam_ldap. Unfortunately, no word from OpenLDAP or pam_ldap maintainers on the issue. I have been looking at pam_ldap source code but haven’t been able to pinpoint the issue. In my case, it has something to do with password policy not being handled properly when chaining is enabled. I suggest try tweaking those “pam_password” statements and see if you can deduce anything.

I will update the list if I find anything conclusive about this bug.

Thanks,

Siddhartha

On 6/5/10 7:00 AM, "Indexer" <indexer@internode.on.net> wrote:

Recently, i have hit a rather unique, and annoying, error with ldap. it seems that using pam with ldap, allows *any* password as valid. Im not really sure what i have done here, and any help would be apprecitaed. find my /etc/ldap.conf attached, as well as pam.d/ssh

etc/ldap.conf

base dc=chocolate,dc=lan
suffix dc=chocolate,dc=lan
uri ldap://ldap.chocolate.lan
ldap_version 3
scope sub
timelimit 3
bind_timelimit 3
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_groupdn cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan
pam_member_attribute memberUid
pam_password clear
pam_password exop
nss_base_passwd         ou=Users,dc=chocolate,dc=lan?sub
nss_base_shadow         ou=Users,dc=chocolate,dc=lan?sub
nss_base_group          ou=Nemo,ou=Group,dc=chocolate,dc=lan?sub
ssl on
ssl start_tls
tls_cacert /usr/local/etc/openldap/keys/cacert.crt

tls_checkpeer no

pam.d/sshd

auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth           sufficient      /usr/local/lib/pam_ldap.so no_warn use_first_pass
auth            sufficient      pam_unix.so             no_warn try_first_pass

account         required        pam_nologin.so
account         required        pam_login_access.so
account         optional        pam_unix.so
account         optional        /usr/local/lib/pam_ldap.so

session         required        pam_permit.so
session         optional      /usr/local/lib/pam_ldap.so

password        sufficient      /usr/local/lib/pam_ldap.so      no_warn    use_athtok   use_first_pass
password        sufficient      pam_unix.so             no_warn try_first_pass

Follow-Ups:
- Re: Pam password authentication
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- Pam password authentication
  - From: Indexer <indexer@internode.on.net>

Prev by Date: Re: ldap_sync* how to
Next by Date: Re: ldap_sync* how to
Index(es):
- Chronological
- Thread