Date: Sun, 28 Aug 2005 00:22:03 +0200 From: Adam Pordzik <adampordzik@gmx.de> To: Konstantin Saurbier <saurbier@math.uni-bielefeld.de> Cc: ports@freebsd.org Subject: Re: security/pam_ldap - update to version 1.8.0 Message-ID: <4310E78B.8000209@gmx.de> In-Reply-To: <20050826121256.GB19571@math.uni-bielefeld.de> References: <20050826121256.GB19571@math.uni-bielefeld.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Konstantin Saurbier wrote: > Hi, > > i wrote a patch for security/pam_ldap to fix this security issue: > > http://www.kb.cert.org/vuls/id/778916 > > Please test this patch an comment any problems or bugs. For me it worked > well, but my access to different releases an architectures is limited to > 5.4-RELEASE and 6.0-BETA3 on i386. This bug issues only enries of "passwordPolicy" Class, so it's not very wicked. > ================================================================================ > Copy %%PREFIX%%/etc/ldap.conf.dist to %%PREFIX%%/etc/ldap.conf, then edit > -%%PREFIX%%/etc/ldap.conf in order to use this module. Add a line similar to > -the following to /etc/pam.conf on 4.X, or create an /etc/pam.d/ldap > -on 5.X with a line similar to the following: Good idea to correct this! > +account sufficient pam_ldap.so Since pam_unix.so grants access to everybody in account stage, pam_ldap should be made "required" here, if you want PAM more than just _saying_ "Access denied for this host". Hence a line account required pam_ldap.so ignore_unknown_user ignore_authinfo_unavail works as expected. "ignore_authinfo_unavail" is needed not to lock out local/other users when the ldap server cannot be connected. A --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4310E78B.8000209>