security/pam_ldap - update to version 1.8.0
adampordzik at gmx.de
Sat Aug 27 22:22:06 GMT 2005
Konstantin Saurbier wrote:
> i wrote a patch for security/pam_ldap to fix this security issue:
> Please test this patch an comment any problems or bugs. For me it worked
> well, but my access to different releases an architectures is limited to
> 5.4-RELEASE and 6.0-BETA3 on i386.
This bug issues only enries of "passwordPolicy" Class, so it's
not very wicked.
> Copy %%PREFIX%%/etc/ldap.conf.dist to %%PREFIX%%/etc/ldap.conf, then edit
> -%%PREFIX%%/etc/ldap.conf in order to use this module. Add a line similar to
> -the following to /etc/pam.conf on 4.X, or create an /etc/pam.d/ldap
> -on 5.X with a line similar to the following:
Good idea to correct this!
> +account sufficient pam_ldap.so
Since pam_unix.so grants access to everybody in account stage, pam_ldap
should be made "required" here, if you want PAM more than just _saying_
"Access denied for this host". Hence a line
account required pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
works as expected. "ignore_authinfo_unavail" is needed not to lock out
local/other users when the ldap server cannot be connected.
More information about the freebsd-ports