From owner-freebsd-ports@FreeBSD.ORG Sat Aug 27 22:22:06 2005 Return-Path: X-Original-To: ports@freebsd.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3095416A41F for ; Sat, 27 Aug 2005 22:22:06 +0000 (GMT) (envelope-from adampordzik@gmx.de) Received: from webmail.hansenet.de (mail01.hansenet.de [213.191.73.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id C981243D45 for ; Sat, 27 Aug 2005 22:22:05 +0000 (GMT) (envelope-from adampordzik@gmx.de) Received: from [10.12.0.41] (213.39.221.36) by webmail.hansenet.de (7.2.059) (authenticated as mbox-ap@d-dt.de) id 430AFED9000968F8; Sun, 28 Aug 2005 00:22:03 +0200 Message-ID: <4310E78B.8000209@gmx.de> Date: Sun, 28 Aug 2005 00:22:03 +0200 From: Adam Pordzik User-Agent: Mozilla Thunderbird 1.0.5 (Windows/20050711) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Konstantin Saurbier References: <20050826121256.GB19571@math.uni-bielefeld.de> In-Reply-To: <20050826121256.GB19571@math.uni-bielefeld.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ports@freebsd.org Subject: Re: security/pam_ldap - update to version 1.8.0 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Aug 2005 22:22:06 -0000 Konstantin Saurbier wrote: > Hi, > > i wrote a patch for security/pam_ldap to fix this security issue: > > http://www.kb.cert.org/vuls/id/778916 > > Please test this patch an comment any problems or bugs. For me it worked > well, but my access to different releases an architectures is limited to > 5.4-RELEASE and 6.0-BETA3 on i386. This bug issues only enries of "passwordPolicy" Class, so it's not very wicked. > ================================================================================ > Copy %%PREFIX%%/etc/ldap.conf.dist to %%PREFIX%%/etc/ldap.conf, then edit > -%%PREFIX%%/etc/ldap.conf in order to use this module. Add a line similar to > -the following to /etc/pam.conf on 4.X, or create an /etc/pam.d/ldap > -on 5.X with a line similar to the following: Good idea to correct this! > +account sufficient pam_ldap.so Since pam_unix.so grants access to everybody in account stage, pam_ldap should be made "required" here, if you want PAM more than just _saying_ "Access denied for this host". Hence a line account required pam_ldap.so ignore_unknown_user ignore_authinfo_unavail works as expected. "ignore_authinfo_unavail" is needed not to lock out local/other users when the ldap server cannot be connected. A --