[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP breaks kcheckpass when not setuid root (#298148)

[Christoph Haas]
> I'm unhappy with the outcome of the bug #298148 (kdebase-bin: kcheckpass
> needs setuid bit for ldap authentication). When using libnss-ldap and
> libpam-ldap (optionally) people who lock their screen in KDE will not be
> able to unlock the screen and may (like me) lose data because they
> finally give up and Ctrl+Alt+Backspace. :( It turned out that unlocking
> the screen currently only works if the /usr/bin/kcheckpass binary is
> made setuid root.

This sounds like you have set up LDAP authentication incorrectly, as I
am able to lock the screen with LDAP authentication.  Correctly set
up, pam-ldap should do authentication by binding to the LDAP server
over SSL, and this do not require any special privileges.

This is the configuration I use:

  # egrep -v '^#|^$' /etc/pam.d/common-auth /etc/pam_ldap.conf  /etc/nsswitch.conf
  /etc/pam.d/common-auth:auth     optional        pam_group.so
  /etc/pam.d/common-auth:auth     sufficient      pam_unix.so shadow nullok_secure
  /etc/pam.d/common-auth:auth     required        pam_ldap.so use_first_pass
  /etc/pam_ldap.conf:host ldap.uio.no
  /etc/pam_ldap.conf:base cn=users,cn=system,dc=uio,dc=no
  /etc/pam_ldap.conf:ldap_version 3
  /etc/pam_ldap.conf:pam_password crypt
  /etc/pam_ldap.conf:ssl start_tls
  /etc/pam_ldap.conf:tls_cacertfile /etc/w3_cacert.pem
  /etc/pam_ldap.conf:tls_checkpeer yes

The LDAP server is set up to only allow binding using passwords over
128-bit encrytped SSL, to make sure the password isn't send in clear

This system is compatible with the one we use in Debian Edu.

Petter Reinholdtsen

Reply to: