[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]

On Fri, May 04, 2007 at 05:33:45PM -0400, Roberto C. Sánchez wrote:
> > If you use libnss-ldap+pam_unix for authentication, authentication involves
> > the system querying the password hash from LDAP across the network, and
> > using pam_unix to attempt to authenticate against it.  If normal users do
> > not have access to query the password hash from LDAP (a correct
> > configuration), pam_unix should fall back to using /sbin/unix_chkpwd, a
> > setuid binary that's only allowed to query the password for the current
> > user.  You can test whether /sbin/unix_chkpwd works on your system with:

> > $ cat | /sbin/unix_chkpwd `id -u -n` nullok ; echo $?
> > <your password here>^D^M

> > as a non-root user and checking whether the exit value is 0.  If it doesn't
> > work, you still have a PAM misconfiguration.  (If it does work, something's
> > really broken, but maybe not the configuration...)

> This may be starting to drift OT, but here goes.  In my case, I am using
> libnss-ldap and libpam-ldap.  I have both pam_unix.so and pam_ldap.so
> listed in common-{account,auth,password}.  My LDAP configuration is such
> that regular users cannot see passwords, except for their own passwords
> once they have authenticated:

> access to attrs=userPassword
>         by dn="cn=admin,dc=foo,dc=bar" write
>         by anonymous auth
>         by self write
>         by * none

> Now, if the incantation above gives a zero, then is that good or bad?  I
> am guessing that it is OK, since I also have pam_ldap.so in my
> configuration, but I am not sure.

It means that pam_unix is able to access your shadow hash on behalf of the
user, when using root privileges (which is expected and required in the case
where you want to support password changes via pam_ldap); and that if
pam_unix is listed first in common-auth before pam_ldap, that this is what
is going to be done for all logins.

"good or bad" depends on your goals for the configuration.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
Reply to: