Package: libpam-ldap Version: 184-8.5 Severity: normal Tags: patch Hi there!
Cc:ing the libpam and libnss-ldapd's maintainers because of #583492, read below. I recently added the 'host' attribute to an OpenLDAP setup and I was activating the libpam-ldap's pam_check_host_attr as explained at <http://wiki.debian.org/LDAP/PAM>, section "Allowing logins on a per-host basis". On a lenny system, adding the lines from the wiki section "PAM setup with pam_ldap" is enough to have the 'host' attribute checked before login: --8<---------------cut here---------------start------------->8--- # /etc/pam.d/common-account - authorization settings common to all services ## http://wiki.debian.org/LDAP/PAM account required pam_unix.so account sufficient pam_succeed_if.so uid < 10000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so --8<---------------cut here---------------end--------------->8--- On sid, however, while I was quite happy than I had nothing to touch to have LDAP authentication working automatically by default, the libpam-ldap's pam_check_host_attr seems to not work at all: --8<---------------cut here---------------start------------->8--- # /etc/pam.d/common-account - authorization settings common to all services # here are the per-package modules (the "Primary" block) account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config --8<---------------cut here---------------end--------------->8--- FYI, with the lenny configuration file on sid everything is fine. I read the PAM documentation, but I still do not understand what is wrong with the default configuration. Could this be related to <http://bugs.debian.org/583492>? I guess so, given that libpam-ldapd's pam.d/common-account configuration works as expected, with the big difference being that the pam_ldap's profile is Additional and not Primary: --8<---------------cut here---------------start------------->8--- diff --git a/pam.d/common-account b/pam.d/common-account index 95537e3..f499c71 100644 --- a/pam.d/common-account +++ b/pam.d/common-account @@ -14,8 +14,7 @@ # # here are the per-package modules (the "Primary" block) -account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so -account [success=1 default=ignore] pam_ldap.so +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; @@ -23,4 +22,5 @@ account requisite pam_deny.so # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) +account [success=ok user_unknown=ignore default=bad] pam_ldap.so # end of pam-auth-update config --8<---------------cut here---------------end--------------->8--- Given that AFAIK libpam-ldapd does not support the pam_check_host_attr (wishlist bug?), I am quite reluctant to switch to it. I know I should be able to implement that in /etc/nslcd.conf (via the 'filter' or 'pam_authz_search' options), but it is not so straightforward as libpam-ldap ;-) Thx, bye, Gismo / Luca -- System Information: Debian Release: 6.0 APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36-rc6-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libpam-ldap depends on: ii debconf [debconf-2.0] 1.5.37 Debian configuration management sy ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libldap-2.4-2 2.4.23-7 OpenLDAP libraries ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l libpam-ldap recommends no packages. Versions of packages libpam-ldap suggests: ii libnss-ldapd [libnss-ldap] 0.7.13 NSS module for using LDAP as a nam -- debconf information: * shared/ldapns/base-dn: dc=pca,dc=it * shared/ldapns/ldap-server: ldap://ldap.pca.it libpam-ldap/pam_password: crypt libpam-ldap/binddn: cn=proxyuser,dc=example,dc=net * libpam-ldap/rootbinddn: cn=admin,dc=pca,dc=it * libpam-ldap/dbrootlogin: true libpam-ldap/override: true * shared/ldapns/ldap_version: 3 * libpam-ldap/dblogin: false
pgpSJYc00gRka.pgp
Description: PGP signature
