Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Jul 1999 20:03:36 -0600
From:      Oscar Bonilla <obonilla@fisicc-ufm.edu>
To:        freebsd-hackers@freebsd.org
Subject:   PAM & LDAP in FreeBSD
Message-ID:  <19990715200336.A15050@fisicc-ufm.edu>

next in thread | raw e-mail | index | archive | help
While trying to use the pam_ldap module available from www.padl.com
I discovered the following problem.

although the module authenticates just fine (using openldap)
the login program fails to permit logins. I traced the problem to 
login.c --- the following code is from login.c 

my questions are at the bottom.

****************************************************************************


		pwd = getpwnam(username);

--------- at this point pwd == NULL due to the fact that the user
--------- does not exist on the local passwd database... see below

		/*
		 * if we have a valid account name, and it doesn't have a
		 * password, or the -f option was specified and the caller
		 * is root or the caller isn't changing their uid, don't
		 * authenticate.
		 */
		if (pwd != NULL) {
			if (pwd->pw_uid == 0)
				rootlogin = 1;

			if (fflag && (uid == (uid_t)0 ||
				      uid == (uid_t)pwd->pw_uid)) {
				/* already authenticated */
				break;
			} else if (pwd->pw_passwd[0] == '\0') {
				if (!rootlogin || rootok) {
					/* pretend password okay */
					rval = 0;
					goto ttycheck;
				}
			}
		}

		fflag = 0;

		(void)setpriority(PRIO_PROCESS, 0, -4);

#ifndef NO_PAM
		/*
		 * Try to authenticate using PAM.  If a PAM system error
		 * occurs, perhaps because of a botched configuration,
		 * then fall back to using traditional Unix authentication.
		 */
		if ((rval = auth_pam()) == -1)

------------- This returns PAM_SUCCESS since the pam_ldap module has
------------- successfully identified and authenticated the user.

#endif /* NO_PAM */
			rval = auth_traditional();

		(void)setpriority(PRIO_PROCESS, 0, 0);

#ifndef NO_PAM
		/*
		 * PAM authentication may have changed "pwd" to the
		 * entry for the template user.  Check again to see if
		 * this is a root login after all.
		 */
		if (pwd != NULL && pwd->pw_uid == 0)
			rootlogin = 1;
#endif /* NO_PAM */

	ttycheck:
		/*
		 * If trying to log in as root without Kerberos,
		 * but with insecure terminal, refuse the login attempt.
		 */

------------- This next if is the problem: pwd == NULL from above, 
------------- and the user doesn't get in.

		if (pwd && !rval) {
			if (rootlogin && !rootok)
				refused(NULL, "NOROOT", 0);
			else	/* valid password & authenticated */
				break;
		}

		(void)printf("Login incorrect\n");
		failures++;

****************************************************************************

1. what would be the right way to fix this? 

2. after the user successfully logs in he still won't have an entry
   in the /etc/passwd database, so all syscalls having to do with
   identifying the user will fail... how can I have these funcions get
   their info from LDAP?

I'm willing to patch and submit these programs, but would like some
feedback about the right way to integrate this.

I checked with a friend who uses linux, and it appears linux doesn't have
this problem since they use the /etc/nsswithc.conf to tell the system
where to get info from. The nsswitch (resolver?) thing seems to 
understand ldap.

Thanks folks,

-Oscar

-- 
For PGP Public Key: finger obonilla@fisicc-ufm.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990715200336.A15050>