Control: found -1 nss-ldapd/0.6.1 On Sun, 2013-05-05 at 20:18 -0700, Andrew Ayer wrote: > nslcd only allows processes with UID==0 (as determined by credentials > passed over its UNIX domain socket) to query the shadow database. [...] > This is a problem because it means non-root processes, in particular > processes with GID shadow, are unable to authenticate against LDAP > via PAM. Although pam_authenticate() succeeds (since it works by > attempting an LDAP bind with the user's password), pam_acct_mgmt(), > which needs to consult the shadow database for the password expiration > fields, fails.
This is indeed the case. The reasoning for this change was that normally getent shadow only returns information for root users (or group shadow users as it turns out). The shadow information basically consists of two parts: - the password hash - the password and account expiry and related information The password hash should only be available to privileged users, the other information is probably less sensitive. However, I can imagine environments where the other information should also not be public. Note that, as an extra precaution, by default nslcd maps the userPassword attribute to "*" so you have to make a conscious decision to expose password hashes through nslcd. Determining who can see what information consists of basically two separate decisions (where those who have access to the hash are a subset of those who have access to the other information). (there is actually a third case because nslcd can, under specific circumstances, expose password hashes as part of the getent passwd request but that could be analogous to the access to the shadow hash decision) Suggestions as to how to specify this in the configuration file are welcome. I am looking for a proper solution for this. As a quick fix I could also make a patch that also returns the shadow information to requests from processes with group shadow. Such a patch could perhaps be considered for wheezy (if approved by the stable release team). Some workarounds that are available as of now: - make the pwauth binary suid root (obviously not ideal) - remove ldap from the shadow line in /etc/nsswitch.conf The second option should result in pam_unix skipping the authorisation check (when using nslcd 0.8.4 or newer). Since nslcd performs the same checks (which should still be performed) this should not be a problem. Thanks for your bug report pointing out the shadow group, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
