Date: Thu, 6 Sep 2007 13:11:53 +0200 (CEST) From: "Daniel Bond" <db@nsn.no> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Daniel Bond <db@nsn.no> Subject: bin/116150: PAM module pam_unix.so seems to block account-checks for pam_ldap.so Message-ID: <200709061111.l86BBrte064784@speedy.nsn.no> Resent-Message-ID: <200709061150.l86Bo2VC059178@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 116150 >Category: bin >Synopsis: PAM module pam_unix.so seems to block account-checks for pam_ldap.so >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Sep 06 11:50:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Daniel Bond >Release: FreeBSD 6.2-RELEASE-p4 amd64 >Organization: Network Solutions Norway ASA >Environment: System: FreeBSD speedy.nsn.no 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 15:04:52 UTC 2007 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/SMP amd64 The packages I have installed are: nss_ldap-1.256 RFC 2307 NSS module openldap-client-2.3.38 Open source LDAP client implementation pam_ldap-1.8.2 A pam module for authenticating with LDAP relevant lines from /etc/pam.d/sshd looks like this: # auth auth required pam_nologin.so no_warn auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass debug # account account sufficient /usr/local/lib/pam_ldap.so debug account required pam_login_access.so account required pam_unix.so debug relevant lines from ldap.conf: pam_filter objectclass=posixAccount #pam_check_host_attr yes pam_groupdn cn=flexiweb,ou=ssh-access,ou=groups,dc=example,dc=com pam_member_attribute member nss_base_passwd ou=company,ou=people,dc=example,dc=com nss_base_shadow ou=company,ou=people,dc=example,dc=com nss_base_group ou=posixgroups,ou=groups,dc=example,dc=com >Description: When seting up ldap authentication with services like ssh, it is common to have all users in a "users" OrganizationalUnit, but one usually don't want to allow all theese people to gain access to every server configured with ldap-authentication. I can login to this machine, but pam_ldap completly ignores "pam_groupdn" and "pam_check_host_attr yes". This means that all my ldap users have access to the FreeBSD's, while in Linux the users are restricted to "pam_groupdn". I'm running the same version of pam_ldap on FreeBSD and Linux clients, and pam_groupdn is documented in pam_ldap(5) under FreeBSD, which makes me believe that this is a problem regarding FreeBSD PAM, and not a PADL pam_ldap issue. I've been googling this issue for some hours, and I've seen quite a few posts about the same issue on the mailinglists, dating back to 2003-2004, but no answers, or description about what is causing this. The closest I've found is on a few solaris-lists, where the problem is traced back to pam_unix.so, because pam_unix.so is returning a positive status before the account-checks in the mod_ldap.so module is run. Could something simular be the problem with FreeBSD? I don't seem to be getting any debug-output from PAM either, even though this should be syslog'ed to /var/log/debug.log. Sorry for little information/no patch to fix this, but I've hit the wall trying to debug this, and seems there is no answers to be found in the mailinglists. Also, the issue with using /usr/bin/passwd for changing ldap-account-passwords seems to have been solved about this time in 2004, any chance we will be seeing this upstream soon? >How-To-Repeat: Setup FreeBSD 6.2 & PAM with nss_ldap/pam_ldap, and configure pam_groupdn or pam_check_host_attr. These settings will be ignored. >Fix: No known fix for this issue. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709061111.l86BBrte064784>