bin/116150: PAM module pam_unix.so seems to block account-checks for pam_ldap.so

Daniel Bond db at nsn.no
Thu Sep 6 04:50:02 PDT 2007 

>Number:         116150
>Category:       bin
>Synopsis:       PAM module pam_unix.so seems to block account-checks for pam_ldap.so
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 06 11:50:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Daniel Bond
>Release:        FreeBSD 6.2-RELEASE-p4 amd64
>Organization:
Network Solutions Norway ASA
>Environment:
System: FreeBSD speedy.nsn.no 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 15:04:52 UTC 2007 root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/SMP amd64

The packages I have installed are:

nss_ldap-1.256      RFC 2307 NSS module
openldap-client-2.3.38 Open source LDAP client implementation
pam_ldap-1.8.2      A pam module for authenticating with LDAP

relevant lines from /etc/pam.d/sshd looks like this:

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      /usr/local/lib/pam_ldap.so  no_warn try_first_pass debug
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            required        pam_unix.so             no_warn try_first_pass debug

# account
account         sufficient /usr/local/lib/pam_ldap.so debug
account         required        pam_login_access.so
account         required        pam_unix.so debug


relevant lines from ldap.conf:

pam_filter     objectclass=posixAccount
#pam_check_host_attr yes
pam_groupdn    cn=flexiweb,ou=ssh-access,ou=groups,dc=example,dc=com

pam_member_attribute member
nss_base_passwd ou=company,ou=people,dc=example,dc=com
nss_base_shadow ou=company,ou=people,dc=example,dc=com
nss_base_group  ou=posixgroups,ou=groups,dc=example,dc=com

>Description:

When seting up ldap authentication with services like ssh, it is common to have all users in a "users" OrganizationalUnit, but one usually don't want to allow all theese people to gain access to every server configured with ldap-authentication.

I can login to this machine, but pam_ldap completly ignores "pam_groupdn" and "pam_check_host_attr yes". This means that all my ldap users have access to the FreeBSD's, while in Linux the users are restricted to "pam_groupdn". 

I'm running the same version of pam_ldap on FreeBSD and Linux clients, and pam_groupdn is documented in pam_ldap(5) under FreeBSD, which makes me believe that this is a problem regarding FreeBSD PAM, and not a PADL pam_ldap issue.

I've been googling this issue for some hours, and I've seen quite a few posts about the same issue on the mailinglists, dating back to 2003-2004, but no answers, or description about what is causing this.

The closest I've found is on a few solaris-lists, where the problem is traced back to pam_unix.so, because pam_unix.so is returning a positive status before the account-checks in the mod_ldap.so module is run.

Could something simular be the problem with FreeBSD?

I don't seem to be getting any debug-output from PAM either, even though this should be syslog'ed to /var/log/debug.log. Sorry for little information/no patch to fix this, but I've hit the wall trying to debug this, and seems there is no answers to be found in the mailinglists.

Also, the issue with using /usr/bin/passwd for changing ldap-account-passwords seems to have been solved about this time in 2004, any chance we will be seeing this upstream soon?

>How-To-Repeat:

Setup FreeBSD 6.2 & PAM with nss_ldap/pam_ldap, and configure pam_groupdn or pam_check_host_attr. These settings will be ignored.

>Fix:

No known fix for this issue.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list