Re: LDAP breaks kcheckpass when not setuid root (#298148)
[Christoph Haas]
> I'm unhappy with the outcome of the bug #298148 (kdebase-bin: kcheckpass
> needs setuid bit for ldap authentication). When using libnss-ldap and
> libpam-ldap (optionally) people who lock their screen in KDE will not be
> able to unlock the screen and may (like me) lose data because they
> finally give up and Ctrl+Alt+Backspace. :( It turned out that unlocking
> the screen currently only works if the /usr/bin/kcheckpass binary is
> made setuid root.
This sounds like you have set up LDAP authentication incorrectly, as I
am able to lock the screen with LDAP authentication. Correctly set
up, pam-ldap should do authentication by binding to the LDAP server
over SSL, and this do not require any special privileges.
This is the configuration I use:
# egrep -v '^#|^$' /etc/pam.d/common-auth /etc/pam_ldap.conf /etc/nsswitch.conf
/etc/pam.d/common-auth:auth optional pam_group.so
/etc/pam.d/common-auth:auth sufficient pam_unix.so shadow nullok_secure
/etc/pam.d/common-auth:auth required pam_ldap.so use_first_pass
/etc/pam_ldap.conf:host ldap.uio.no
/etc/pam_ldap.conf:base cn=users,cn=system,dc=uio,dc=no
/etc/pam_ldap.conf:ldap_version 3
/etc/pam_ldap.conf:pam_password crypt
/etc/pam_ldap.conf:ssl start_tls
/etc/pam_ldap.conf:tls_cacertfile /etc/w3_cacert.pem
/etc/pam_ldap.conf:tls_checkpeer yes
#
The LDAP server is set up to only allow binding using passwords over
128-bit encrytped SSL, to make sure the password isn't send in clear
text.
This system is compatible with the one we use in Debian Edu.
Friendly,
--
Petter Reinholdtsen
Reply to: