Date: Thu, 18 Nov 2004 10:05:37 +0100 From: jesk <jesk@killall.org> To: Doug White <dwhite@gumbysoft.com>, jesk <jesk@killall.org> Cc: freebsd-stable@freebsd.org Subject: Re: Pam Authorization Problem Message-ID: <BB0586A6DD82B937DC1DF167@jesk.int.de.clara.net> In-Reply-To: <20041117184612.J29048@carver.gumbysoft.com> References: <2627048885E8BF7F8DCDCFD2@jesk.int.de.clara.net> <200411102021.18553.pokui@psg.com> <001001c4c755$2eb4b980$45fea8c0@turbofresse> <20041117184612.J29048@carver.gumbysoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, thanks for your reply! my goal is to authenticate through ldap and to do some specific authorization checks. for failover i have one account in /etc/passwd in case of a downtime of ldap so that its still possible to login throught local authentication. Further more i have inside of ldap.conf the following: --- # Group to enforce membership of pam_groupdn cn=klever,ou=hosts,dc=xxx,dc=xxx,dc=xxx # Group member attribute pam_member_attribute uniqueMember --- this should do authorization and should only allow to login if the account who is login in also exists in 'cn=klever,ou=hosts,dc=xxx,dc=xxx,dc=xxx' with its full DN inside the uniqueMember attribute. Authentication is already working with AUTH directive inside of /etc/pam.d/sshd. So i want to allow any user to login if in ACCOUNT the check with pam_ldap is true and the user exists also there or if the user exists inside of /etc/passwd. > First of all -- be clear on where the user record exists. Identify if > 'klever' exists both in LDAP and locally, or in only one. You will drive > yourself nuts if you don't keep this straight. I suggest creating local- > and directory-only test users when hacking on PAM. this is what i have done. > Secondly, understand what checks happen where. With PADL pam_ldap the > only way you can tell most of this is to read the code, sadly. In this > case, the various access checks happen in pam_sm_acct_mgmt(), which > corresponds to 'account' in pam.conf. i dont have much C knowledge so this will be very hard. > Because you have specified that the failure of pam_ldap is not fatal to > the account stack. The "sufficient" control means: > If this module returns success, then stop stack processing and return > success to the application. Otherwise continue processing. > > Since the access check constitutes a "failure" and "sufficient" > effectively ignores failures, you've made the access checks useless. :) > > You probably want to set it to "required", but there are a couple of > options to mask certain failure modes you may need to set so that you get > the proper fallback to local logins. Those options are > > ignore_unknown_user > ignore_authinfo_unavail > > Add thesse to the end of the 'account ..pam_ldap' line. > > If you don't want to set the options you can move it below pam_unix, but > the control must still be "required" for the appropriate action to be > taken. Remember, you need to treat ldap failing as fatal to the stack if > you want the access controls to have any effect. > > PAM is horrifically compilicated. I just spent 2 months implementing it at > my employer and getting the cases right is a bitch. In fact, its still > wrong there. :( I have all combinations tried in the ACCOUNT section but without the special attributes you have written about 'ignore_unknown_user/ignore_authinfo_unavail'. i will test them, maybe they are the only missing and required things to get this working.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BB0586A6DD82B937DC1DF167>