Messages 1-10 from thread
Next 3
Jump to [ End of thread ]

Message 1 in thread
From: Frank Bonnet (bonnetf@bart.esiee.fr)
Subject: 5.1 beta2 still in trouble with pam_ldap
 
View this article only
Newsgroups: fa.freebsd.current
Date: 2003-05-22 09:47:48 PST
Hi

I've installed 5.1 beta2 but I'm still in trouble
with pam_ldap / nss_ldap 

the scenario is the following

if in any file of the pam.d directory I replace
the original line :

auth           required        pam_unix.so             no_warn try_first_pass nullok

by the following 

auth            sufficient      /usr/local/lib/pam_ldap.so

for example in the /etc/pam.d/su file I can perform the "su -"
command WITHOUT TYPING ANY PASSWORD from a normal user login.

Do I missunderstand pam concepts or is it a real bug ?

LDAP related packages installed are 

openldap-2.0.25_3
nss_ldap-1.204_1
pam_ldap-1.6.1

Thanks for any infos
-- 
Frank Bonnet 
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Message 2 in thread
From: Gordon Tetlow (gordont@gnf.org)
Subject: Re: 5.1 beta2 still in trouble with pam ldap
 
View this article only
Newsgroups: fa.freebsd.current
Date: 2003-05-22 14:51:07 PST
On Thu, May 22, 2003 at 06:46:31PM +0200, Frank Bonnet wrote:
> Hi
> 
> I've installed 5.1 beta2 but I'm still in trouble
> with pam ldap / nss ldap 
> 
> the scenario is the following
> 
> if in any file of the pam.d directory I replace
> the original line :
> 
> auth           required        pam unix.so             no warn try first  pass nullok
> 
> by the following 
> 
> auth            sufficient      /usr/local/lib/pam ldap.so

Don't replace the line, add it before pam unix.so. Having the last auth
line be sufficient causes weird behavior. If you feel like you need to
*replace* pam unix (which is a *really* bad idea), make it required, not
sufficient. I would recommend something like this:

...
auth sufficient      /usr/local/lib/pam ldap.so
auth required        pam unix.so             no warn try first pass nullok

> Do I missunderstand pam concepts or is it a real bug ?

I think you might be missing a concept or two. In any event this is not
really a bug.

-gordon

--
Message 3 in thread
From: Dag-Erling Smorgrav (des@ofug.org)
Subject: Re: 5.1 beta2 still in trouble with pam_ldap
 
View this article only
Newsgroups: fa.freebsd.current
Date: 2003-05-22 15:29:09 PST
Frank Bonnet <bonnetf@bart.esiee.fr> writes:
> if in any file of the pam.d directory I replace
> the original line :
>
> auth           required        pam_unix.so             no_warn try_first_pass nullok
>
> by the following 
>
> auth            sufficient      /usr/local/lib/pam_ldap.so
>
> for example in the /etc/pam.d/su file I can perform the "su -"
> command WITHOUT TYPING ANY PASSWORD from a normal user login.

If pam_ldap is the last line, it should be "required", not
"sufficient"; alternatively it should be followed by pam_deny.  This
is (imperfectly) documented in /etc/pam.d/README:

 Note that having a "sufficient" module as the last entry for a
 particular service and module type may result in surprising behaviour.
 To get the intended semantics, add a "required" entry listing the
 pam_deny module at the end of the chain.

Solaris introduced the "binding" flag to try to alleviate this
problem.  OpenPAM supports "binding", but does not document it
anywhere.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Message 4 in thread
From: Gordon Tetlow (gordont@gnf.org)
Subject: Re: 5.1 beta2 still in trouble with pam ldap
 
View this article only
Newsgroups: fa.freebsd.current
Date: 2003-05-22 15:58:08 PST
On Fri, May 23, 2003 at 12:26:20AM +0200, Dag-Erling Smorgrav wrote:
> Frank Bonnet <bonnetf@bart.esiee.fr> writes:
> > if in any file of the pam.d directory I replace
> > the original line :
> >
> > auth           required        pam unix.so             no warn try firs t pass nullok
> >
> > by the following 
> >
> > auth            sufficient      /usr/local/lib/pam ldap.so
> >
> > for example in the /etc/pam.d/su file I can perform the "su -"
> > command WITHOUT TYPING ANY PASSWORD from a normal user login.
> 
> If pam ldap is the last line, it should be "required", not
> "sufficient"; alternatively it should be followed by pam deny.  This
> is (imperfectly) documented in /etc/pam.d/README:
> 
>  Note that having a "sufficient" module as the last entry for a
>  particular service and module type may result in surprising behaviour.
>  To get the intended semantics, add a "required" entry listing the
>  pam deny module at the end of the chain.

Do you think it might be a good idea to turn all the pam configuration
files to list actual providers at sufficient followed by a pam deny:

auth sufficient pam krb5.so
auth sufficient pam ldap.so
auth sufficient pam unix.so
auth required pam deny.so

This makes it very explicit as to what's going on and makes it so the
last entry isn't different merely because it's last.

> Solaris introduced the "binding" flag to try to alleviate this
> problem.  OpenPAM supports "binding", but does not document it
> anywhere.

I'm unfamiliar with this option. What's it do?

-gordon

--
Message 5 in thread
From: Dag-Erling Smorgrav (des@ofug.org)
Subject: Re: 5.1 beta2 still in trouble with pam_ldap
 
View this article only
Newsgroups: fa.freebsd.current
Date: 2003-05-22 16:48:50 PST
Gordon Tetlow <gordont@gnf.org> writes:
> Do you think it might be a good idea to turn all the pam configuration
> files to list actual providers at sufficient followed by a pam_deny:

No.  I'd rather replace "sufficient" with "binding" where appropriate.

> > Solaris introduced the "binding" flag to try to alleviate this
> > problem.  OpenPAM supports "binding", but does not document it
> > anywhere.
> I'm unfamiliar with this option. What's it do?

It behaves like "sufficient" should, i.e. failure is not ignored.  I'm
working on updating the documentation.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Message 6 in thread
From: Ruslan Ermilov (ru@freebsd.org)
Subject: Re: 5.1 beta2 still in trouble with pam ldap
 
View this article only
Newsgroups: fa.freebsd.current
Date: 2003-05-22 23:10:36 PST
On Fri, May 23, 2003 at 01:45:44AM +0200, Dag-Erling Smorgrav wrote:
> Gordon Tetlow <gordont@gnf.org> writes:
> > Do you think it might be a good idea to turn all the pam configuration
> > files to list actual providers at sufficient followed by a pam deny:
> 
> No.  I'd rather replace "sufficient" with "binding" where appropriate.
> 
> > > Solaris introduced the "binding" flag to try to alleviate this
> > > problem.  OpenPAM supports "binding", but does not document it
> > > anywhere.
> > I'm unfamiliar with this option. What's it do?
> 
> It behaves like "sufficient" should, i.e. failure is not ignored.
> 
You mean,  last  failure is not ignored?

-- 
Ruslan Ermilov  Sysadmin and DBA,
ru@sunbay.com  Sunbay Software AG,
ru@FreeBSD.org  FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine

http://www.freebsd.org/ The Power To Serve
http://www.oracle.com/ Enabling The Information Age

--
Message 7 in thread
From: Dag-Erling Smorgrav (des@ofug.org)
Subject: Re: 5.1 beta2 still in trouble with pam_ldap
 
View this article only
Newsgroups: fa.freebsd.current
Date: 2003-05-22 23:27:07 PST
Ruslan Ermilov <ru@freebsd.org> writes:
> On Fri, May 23, 2003 at 01:45:44AM +0200, Dag-Erling Smorgrav wrote:
> > Gordon Tetlow <gordont@gnf.org> writes:
> > > I'm unfamiliar with ["binding"]. What's it do?
> > It behaves like "sufficient" should, i.e. failure is not ignored.
> You mean, _last_ failure is not ignored?

I don't understand the question.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Message 8 in thread
From: Ruslan Ermilov (ru@freebsd.org)
Subject: Re: 5.1 beta2 still in trouble with pam ldap
 
View this article only
Newsgroups: fa.freebsd.current
Date: 2003-05-22 23:30:41 PST
On Fri, May 23, 2003 at 08:24:34AM +0200, Dag-Erling Smorgrav wrote:
> Ruslan Ermilov <ru@freebsd.org> writes:
> > On Fri, May 23, 2003 at 01:45:44AM +0200, Dag-Erling Smorgrav wrote:
> > > Gordon Tetlow <gordont@gnf.org> writes:
> > > > I'm unfamiliar with ["binding"]. What's it do?
> > > It behaves like "sufficient" should, i.e. failure is not ignored.
> > You mean,  last  failure is not ignored?
> 
> I don't understand the question.
> 
In a chain with mutiple "binding" modules, only the  last 
failure gets ignored?  Meaning, if some other module succeeds,
override the failure status, right?


Cheers,
-- 
Ruslan Ermilov  Sysadmin and DBA,
ru@sunbay.com  Sunbay Software AG,
ru@FreeBSD.org  FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine

http://www.freebsd.org/ The Power To Serve
http://www.oracle.com/ Enabling The Information Age

--
Message 9 in thread
From: Dag-Erling Smorgrav (des@ofug.org)
Subject: Re: 5.1 beta2 still in trouble with pam_ldap
 
View this article only
Newsgroups: fa.freebsd.current
Date: 2003-05-23 07:33:53 PST
Ruslan Ermilov <ru@freebsd.org> writes:
> In a chain with mutiple "binding" modules, only the _last_
> failure gets ignored?  Meaning, if some other module succeeds,
> override the failure status, right?

Failure of a "binding" module causes the entire chain to fail once it
has completed.  The error returned is that returned by the first
non-"optional", non-"sufficient" module that failed.

Failure of a "sufficient" module, on the other hand, is always ignored
(so if no other non-"optional", non-"sufficient" module failed, the
chain will succeed).  This is what constantly surprises users, and
what "binding" was introduced to alleviate.

See the PAM article for details - particularly the following two
sections:

http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html#PAM-CHAINS-POLICIES
http://www.freebsd.org/doc/en/articles/pam/pam-config.html#PAM-POLICIES

DES
-- 
Dag-Erling Smorgrav - des@ofug.org
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Message 10 in thread
From: Ruslan Ermilov (ru@freebsd.org)
Subject: Re: 5.1 beta2 still in trouble with pam ldap
 
View this article only
Newsgroups: fa.freebsd.current
Date: 2003-05-23 12:38:37 PST
On Fri, May 23, 2003 at 04:33:09PM +0200, Dag-Erling Smorgrav wrote:
> Ruslan Ermilov <ru@freebsd.org> writes:
> > In a chain with mutiple "binding" modules, only the  last 
> > failure gets ignored?  Meaning, if some other module succeeds,
> > override the failure status, right?
> 
> Failure of a "binding" module causes the entire chain to fail once it
> has completed.  The error returned is that returned by the first
> non-"optional", non-"sufficient" module that failed.
> 
> Failure of a "sufficient" module, on the other hand, is always ignored
> (so if no other non-"optional", non-"sufficient" module failed, the
> chain will succeed).  This is what constantly surprises users, and
> what "binding" was introduced to alleviate.
> 
> See the PAM article for details - particularly the following two
> sections:
> 
> http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html#PAM-CHAINS -POLICIES
> http://www.freebsd.org/doc/en/articles/pam/pam-config.html#PAM-POLICIES
> 
Thanks, DES!  I think I now understand this much better.  :-)

And I have the following question for you:

Why pam nologin in the "auth" chain of the "login" service is marked
"required" and not "requisite", and why do we have the "required" at
all?  What's the point in continuing with the chain if we are going
to return the failure anyway?  What's the real application of
"required" as compared to "requisite"?


Cheers,
-- 
Ruslan Ermilov  Sysadmin and DBA,
ru@sunbay.com  Sunbay Software AG,
ru@FreeBSD.org  FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine

http://www.freebsd.org/ The Power To Serve
http://www.oracle.com/ Enabling The Information Age

--

Next 3
Jump to [ End of thread ]


2003 Google