Package: libpam-ldap
Version: 178-0pm2
Severity: important
Tags: patch
currently libpam-ldap and libnss-ldap share the file /etc/ldap.secret
to store the password of their rootbinddn in.
Since neither libpam-ldap nor libnss-ldap need a directory admin
as these account, but only an account with specific rights in the
directory, there is no need to tie the passwords of these accounts
together.
De-coupling libpam-ldap and libnss-ldap also makes handling
of their password files easier. Neither one of these packages
needs to care about anybody else dealing with their private
files.
The attached patch changes the location of this secret file from
/etc/ldap.secret to /etc/pam_ldap.secret (to match the config file ;-)
and also gives an analysis what rights are necessary for whom to which
attributes in the file LDAP-Permissions.txt.
CU
Peter
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-k7
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages libpam-ldap depends on:
ii debconf 1.4.30.11 Debian configuration management sy
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libldap2 2.1.30-3pm1 OpenLDAP libraries
ii libpam0g 0.76-22 Pluggable Authentication Modules l
-- debconf information:
* shared/ldapns/base-dn: o=ADPM,c=DE
* libpam-ldap/dbrootlogin: true
* libpam-ldap/override: false
* shared/ldapns/ldap-server: 127.0.0.1
* libpam-ldap/pam_password: exop
* libpam-ldap/binddn: cn=pam-User,ou=User,o=EDV
* libpam-ldap/rootbinddn: cn=pam-Admin,c$ou=User,o=EDV
* shared/ldapns/ldap_version: 3
* libpam-ldap/dblogin: true
--- debian/LDAP-Permissions.txt 2005-04-01 12:35:59.854617055 +0200
+++ debian/LDAP-Permissions.txt 2005-04-01 12:36:26.518518245 +0200
@@ -0,0 +1,98 @@
+pam_ldap LDAP Actions
+=====================
+
+The following list describes the actions on the LDAP server and the affected
+LDAP objects and attributes that pam_ldap performs.
+
+The information contained in the list may be used to determine the required
+permissions to objects and attributes in the directory.
+
+To be able to fully perform one of the listed action the accounts listed
+below 'Accounts' need read access to the attributes listed below 'Attributes'
+and compare access to the attributes listed in the filters below 'Filters'
+of all objects in the directory branch that starts at 'Base'.
+
+
+User Search
+-----------
+Account:
+ VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set)
+ VALUE OF binddn (if geteuid() != 0 or 'rootbinddn' isn't set)
+ anonymous (if 'binddn' is not set)
+* Base:
+ VALUE OF nss_base_passwd
+ VALUE OF base (if 'nss_base_passwd' is not set)
+* Filter:
+ AND combination of the following partial filters:
+ VALUE OF pam_filter
+ VALUE OF FILTER PART OF nss_base_passwd
+ (LoginAttr=UserName)
+ where
+ LoginAttr = VALUE OF pam_login_attribute (default: uid)
+ UserName = the account of the user
+ If either 'pam_filter' or 'nss_base_passwd'
+ is not set, the associated part is left out
+* Attributes:
+ host
+ authorizedService
+ uidNumber
+ VALUE OF pam_template_login_attribute
+ shadowLastChange
+ shadowMin
+ shadowMax
+ shadowWarning
+ shadowInactive
+ shadowExpire
+ shadowFlag
+
+
+Password-Change for a User
+--------------------------
+Account:
+ VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set)
+ user's DN (as found in the 'User Search')
+* Base:
+ VALUE OF nss_base_passwd
+ or
+ VALUE OF base (if 'nss_base_passwd' is not set)
+* Attributes (write access necessary)
+ userPassword (if 'pam_password' is not set to 'ad')
+ unicodePwd (if 'pam_password' is set to 'ad')
+ shadowLastChange
+
+
+Group Membership Search
+-----------------------
+* Comment:
+ only performed if 'pam_groupdn' is set
+* Account:
+ VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set)
+ VALUE OF binddn (if geteuid() != 0 or 'rootbinddn' isn't set)
+ anonymous (if 'binddn' is not set)
+* Base:
+ VALUE OF pam_groupdn
+* Filter:
+ (MemberAttr=UserDN)
+ where
+ MemberAttr = VALUE OF pam_member_attribute (default:
uniqueMember)
+ UserDN = user's DN (as found in 'User Search')
+
+
+Passwort-Policy Search
+----------------------
+* Comment:
+ only performed if 'pam_lookup_policy' is set to yes
+* Account:
+ VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set)
+ VALUE OF binddn (if geteuid() != 0 or 'rootbinddn' isn't set)
+ anonymous (if 'binddn' is not set)
+* Base:
+ TREE-ROOT
+* Filter:
+ (objectclass=passwordPolicy)
+* Attributes:
+ passwordMaxFailure
+ passwordMinLength
+
+
+ -- Peter Marschall <[EMAIL PROTECTED]>
--- debian/libpam-ldap.postinst 2005-03-31 17:41:32.000000000 +0200
+++ debian/libpam-ldap.postinst 2005-04-01 13:18:33.574317266 +0200
@@ -4,7 +4,8 @@
PACKAGE=libpam-ldap
CONFFILE="/etc/pam_ldap.conf"
-PASSWDFILE="/etc/ldap.secret"
+PASSWDFILE="/etc/pam_ldap.secret"
+OLDPASSWDFILE="/etc/ldap.secret"
add_missing()
{
@@ -100,22 +101,27 @@
db_get libpam-ldap/dbrootlogin
if [ "$RET" = "true" ]; then
- # user wants to log in to the database, so be it.
+ # separate root login to the database
db_get libpam-ldap/rootbinddn
change_value rootbinddn "$RET"
db_get libpam-ldap/rootbindpw
if [ "$RET" != "" ]; then
- rm -f $PASSWDFILE
+ rm -f $PASSWDFILE $OLDPASSWDFILE
echo $RET > $PASSWDFILE
chmod 0600 $PASSWDFILE
db_set libpam-ldap/rootbindpw ''
+ else
+ # copy the old password file to its new location
+ if [ ! -e $PASSWDFILE -a -e $OLDPASSWDFILE ]; then
+ cp -a $OLDPASSWDFILE $PASSWDFILE
+ fi
fi
else
# ok, so the user refused to use this feature, better make
# sure it's really off.
disable_param rootbinddn
- rm -f $PASSWDFILE
+ rm -f $PASSWDFILE /etc/ldap.conf
fi
db_get libpam-ldap/dblogin
@@ -134,5 +140,10 @@
disable_param binddn
disable_param bindpw
fi
+else
+ # copy the password file to its new location
+ if [ ! -e $PASSWDFILE -a -e $OLDPASSWDFILE ]; then
+ cp -a $OLDPASSWDFILE $PASSWDFILE
+ fi
fi
db_stop
--- debian/README.Debian 2005-03-31 17:41:32.000000000 +0200
+++ debian/README.Debian 2005-04-01 12:37:00.670987373 +0200
@@ -23,3 +23,8 @@
account required pam_ldap.so
account required pam_permit.so
+- Debian uses /etc/pam_ldap.conf as libpam-ldap's configuration file and
+/etc/pam_ldap.secret as the file to store the password of the rootbinddn.
+
+- See LDAP-Permissions.txt for details about the required LDAP permissions.
+
--- debian/rules 2005-03-31 18:01:16.000000000 +0200
+++ debian/rules 2005-04-01 12:38:12.531245538 +0200
@@ -5,7 +5,7 @@
include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/class/autotools.mk
-DEB_CONFIGURE_EXTRA_FLAGS += --with-ldap-lib=openldap
--with-ldap-conf-file=/etc/pam_ldap.conf
+DEB_CONFIGURE_EXTRA_FLAGS += --with-ldap-lib=openldap
--with-ldap-conf-file=/etc/pam_ldap.conf
--with-ldap-secret-file=/etc/pam_ldap.secret
DEB_DESTDIR = $(CURDIR)/debian/tmp
DEB_OPT_FLAG += -fPIC
@@ -14,11 +14,13 @@
binary-post-install/libpam-ldap::
# rename man page
mv $(MY_INST_DIR)/man/man5/pam_ldap.5
$(MY_INST_DIR)/man/man5/pam_ldap.conf.5
- # change all references from /etc/ldap.conf to /etc/pam_ldap.conf
+ # change all references from /etc/ldap.{conf,secret} to
/etc/pam_ldap.{conf,secret}
for file in $(MY_INST_DIR)/man/man5/pam_ldap.conf.5 \
+ $(MY_INST_DIR)/libpam-ldap/ldap.conf \
$(MY_INST_DIR)/doc/libpam-ldap/examples/chfn \
$(MY_INST_DIR)/doc/libpam-ldap/examples/chsh ; do \
sed -e 's,/etc/ldap.conf,/etc/pam_ldap.conf,' \
+ -e 's,/etc/ldap.secret,/etc/pam_ldap.secret,' \
< $$file > $$file-sed; \
mv $$file-sed $$file; \
done
--- debian/libpam-ldap.install 2005-03-31 17:54:36.000000000 +0200
+++ debian/libpam-ldap.install 2005-04-01 13:49:46.212394430 +0200
@@ -5,3 +5,4 @@
chsh usr/share/doc/libpam-ldap/examples
pam.conf usr/share/doc/libpam-ldap/examples
pam_ldap.5 usr/share/man/man5
+debian/LDAP-Permissions.txt usr/share/doc/libpam-ldap
--- debian/libpam-ldap.postrm 2005-03-31 17:41:32.000000000 +0200
+++ debian/libpam-ldap.postrm 2005-04-01 13:50:49.898221676 +0200
@@ -1,12 +1,12 @@
#!/bin/sh
CONFFILE="/etc/pam_ldap.conf"
-PASSWDFILE="/etc/ldap.secret"
+PASSWDFILE="/etc/pam_ldap.secret"
action=$1
if [ "$action" = "purge" ]; then
- rm -f $CONFFILE
+ rm -f $CONFFILE $PASSWDFILE
fi
#DEBHELPER#
