bin/116150: PAM module pam_unix.so seems to block account-checks
for pam_ldap.so
Daniel Bond
db at nsn.no
Thu Sep 6 04:50:02 PDT 2007
>Number: 116150
>Category: bin
>Synopsis: PAM module pam_unix.so seems to block account-checks for pam_ldap.so
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Sep 06 11:50:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Daniel Bond
>Release: FreeBSD 6.2-RELEASE-p4 amd64
>Organization:
Network Solutions Norway ASA
>Environment:
System: FreeBSD speedy.nsn.no 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 15:04:52 UTC 2007 root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/SMP amd64
The packages I have installed are:
nss_ldap-1.256 RFC 2307 NSS module
openldap-client-2.3.38 Open source LDAP client implementation
pam_ldap-1.8.2 A pam module for authenticating with LDAP
relevant lines from /etc/pam.d/sshd looks like this:
# auth
auth required pam_nologin.so no_warn
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_unix.so no_warn try_first_pass debug
# account
account sufficient /usr/local/lib/pam_ldap.so debug
account required pam_login_access.so
account required pam_unix.so debug
relevant lines from ldap.conf:
pam_filter objectclass=posixAccount
#pam_check_host_attr yes
pam_groupdn cn=flexiweb,ou=ssh-access,ou=groups,dc=example,dc=com
pam_member_attribute member
nss_base_passwd ou=company,ou=people,dc=example,dc=com
nss_base_shadow ou=company,ou=people,dc=example,dc=com
nss_base_group ou=posixgroups,ou=groups,dc=example,dc=com
>Description:
When seting up ldap authentication with services like ssh, it is common to have all users in a "users" OrganizationalUnit, but one usually don't want to allow all theese people to gain access to every server configured with ldap-authentication.
I can login to this machine, but pam_ldap completly ignores "pam_groupdn" and "pam_check_host_attr yes". This means that all my ldap users have access to the FreeBSD's, while in Linux the users are restricted to "pam_groupdn".
I'm running the same version of pam_ldap on FreeBSD and Linux clients, and pam_groupdn is documented in pam_ldap(5) under FreeBSD, which makes me believe that this is a problem regarding FreeBSD PAM, and not a PADL pam_ldap issue.
I've been googling this issue for some hours, and I've seen quite a few posts about the same issue on the mailinglists, dating back to 2003-2004, but no answers, or description about what is causing this.
The closest I've found is on a few solaris-lists, where the problem is traced back to pam_unix.so, because pam_unix.so is returning a positive status before the account-checks in the mod_ldap.so module is run.
Could something simular be the problem with FreeBSD?
I don't seem to be getting any debug-output from PAM either, even though this should be syslog'ed to /var/log/debug.log. Sorry for little information/no patch to fix this, but I've hit the wall trying to debug this, and seems there is no answers to be found in the mailinglists.
Also, the issue with using /usr/bin/passwd for changing ldap-account-passwords seems to have been solved about this time in 2004, any chance we will be seeing this upstream soon?
>How-To-Repeat:
Setup FreeBSD 6.2 & PAM with nss_ldap/pam_ldap, and configure pam_groupdn or pam_check_host_attr. These settings will be ignored.
>Fix:
No known fix for this issue.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list