On Sun, 2011-01-23 at 20:17 +0100, Luca Capello wrote: > On sid, however, while I was quite happy than I had nothing to touch to > have LDAP authentication working automatically by default, the > libpam-ldap's pam_check_host_attr seems to not work at all: > --8<---------------cut here---------------start------------->8--- # > /etc/pam.d/common-account - authorization settings common to all > services > > # here are the per-package modules (the "Primary" block) > account [success=2 new_authtok_reqd=done default=ignore] > pam_unix.so > account [success=1 default=ignore] pam_ldap.so > # here's the fallback if no module succeeds > account requisite pam_deny.so > # prime the stack with a positive return value if there isn't one already; > # this avoids us returning an error just because nothing sets a success code > # since the modules above will each just jump around > account required pam_permit.so > # and here are more per-package modules (the "Additional" block) > # end of pam-auth-update config > --8<---------------cut here---------------end--------------->8---
The problem with this is that if pam_unix thinks everything is OK, the whole stack returns success (the success=2 part) and does not go on to pam_ldap. A workaround for this is to make pam_unix fail so that pam_ldap is tried. That can be done with not providing shadow information from nss_ldap (remove ldap from the shadow line in /etc/nsswitch.conf). This does mean that you don't get the checks that pam_unix (e.g. password expiry) usually does. > I read the PAM documentation, but I still do not understand what is > wrong with the default configuration. Could this be related to > <http://bugs.debian.org/583492>? I think this is an oversight in the PAM stack set-up. I don't think the authorisation checks should be a split in Primary and Additional sections and a better structural approach is needed. > I guess so, given that libpam-ldapd's pam.d/common-account > configuration works as expected, with the big difference being that > the pam_ldap's profile is Additional and not Primary: Also see http://bugs.debian.org/583483 > Given that AFAIK libpam-ldapd does not support the pam_check_host_attr > (wishlist bug?), I am quite reluctant to switch to it. I know I should > be able to implement that in /etc/nslcd.conf (via the 'filter' or > 'pam_authz_search' options), but it is not so straightforward as > libpam-ldap ;-) libpam-ldapd doesn't have a pam_check_host_attr but it does have a more flexible pam_authz_search option. You can emulate pam_check_host_attr with: pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(!(host=*)))) or to deny access altogether if no host attribute is set: pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=$hostname)) I've just added a bit to the manual page: http://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#pam_authz_search -- -- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
