On Thu, 2011-12-22 at 17:01 +0100, Yann Autissier wrote: > I am using the libnss-ldap and libpam-ldap packages with default > configuration. > > NSS is configured to allow passwd and group resolution over ldap. > > user@host:~$ cat /etc/nsswitch.conf > passwd: compat ldap > group: compat ldap > shadow: compat ldap > > If a user account exists in local /etc/passwd and in the ldap > database, the user can authenticate with both passwords, but is always > logged in as the local user. Most *nix systems don't properly handle the cases where either the username or the numeric userid is not unique (e.g. nscd is known to get confused). So having a the "same" user in LDAP and in flat files is a configuration problem. > I can create a ldap account named 'root', with a weak password and uid > 12345, then su - on the system and log in as root with the weak > password, and get uid 0. You could have a look at libnss-ldapd and libpam-ldapd (note the extra d at the end). The PAM module has a minimum_uid option (defaults to 1000) which avoids this problem. The 0.8 version of libnss-ldapd also provides some filtering with the nss_min_uid option (not enabled by default). This most likely protects against the case you described. Note however that you have to put some trust in the LDAP server to provide correct information. -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
Attachment:
signature.asc
Description: This is a digitally signed message part