Hi there! On Sun, 23 Jan 2011 22:07:25 +0100, Arthur de Jong wrote: > On Sun, 2011-01-23 at 20:17 +0100, Luca Capello wrote: >> On sid, however, while I was quite happy than I had nothing to touch to >> have LDAP authentication working automatically by default, the >> libpam-ldap's pam_check_host_attr seems to not work at all: >> --8<---------------cut here---------------start------------->8--- # >> /etc/pam.d/common-account - authorization settings common to all >> services >> >> # here are the per-package modules (the "Primary" block) >> account [success=2 new_authtok_reqd=done default=ignore] >> pam_unix.so >> account [success=1 default=ignore] pam_ldap.so >> # here's the fallback if no module succeeds >> account requisite pam_deny.so >> # prime the stack with a positive return value if there isn't one already; >> # this avoids us returning an error just because nothing sets a success code >> # since the modules above will each just jump around >> account required pam_permit.so >> # and here are more per-package modules (the "Additional" block) >> # end of pam-auth-update config >> --8<---------------cut here---------------end--------------->8--- > > The problem with this is that if pam_unix thinks everything is OK, the > whole stack returns success (the success=2 part) and does not go on to > pam_ldap. > > A workaround for this is to make pam_unix fail so that pam_ldap is > tried. That can be done with not providing shadow information from > nss_ldap (remove ldap from the shadow line in /etc/nsswitch.conf). This > does mean that you don't get the checks that pam_unix (e.g. password > expiry) usually does.
My fault, I thought I had check pam_ldap's documentation, while it seems
I did not, given that /usr/share/doc/libpam-ldap/README.Debian contains:
- If you want to use the "pam_check_host_attr" feature, make sure
"pam_unix.so" doesn't provide a valid "account" via the Name Service
Switch (NSS), which overrides your LDAP configuration. Don't use "ldap"
for "shadow" in /etc/nsswitch.conf, just use "shadow: files". For PAM,
use something like the following:
# Try local /etc/shadow first and skip LDAP on success
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so
So I guess that either I reported a non-bug or the documentation is not
in sync with what actually happens.
>> I read the PAM documentation, but I still do not understand what is
>> wrong with the default configuration. Could this be related to
>> <http://bugs.debian.org/583492>?
>
> I think this is an oversight in the PAM stack set-up. I don't think the
> authorisation checks should be a split in Primary and Additional
> sections and a better structural approach is needed.
I am not a PAM nor an LDAP expert to comment on this.
>> I guess so, given that libpam-ldapd's pam.d/common-account
>> configuration works as expected, with the big difference being that
>> the pam_ldap's profile is Additional and not Primary:
>
> Also see http://bugs.debian.org/583483
Thank you, I missed that.
>> Given that AFAIK libpam-ldapd does not support the pam_check_host_attr
>> (wishlist bug?), I am quite reluctant to switch to it. I know I should
>> be able to implement that in /etc/nslcd.conf (via the 'filter' or
>> 'pam_authz_search' options), but it is not so straightforward as
>> libpam-ldap ;-)
>
> libpam-ldapd doesn't have a pam_check_host_attr but it does have a more
> flexible pam_authz_search option. You can emulate pam_check_host_attr
> with:
>
> pam_authz_search
> (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(!(host=*))))
>
> or to deny access altogether if no host attribute is set:
>
> pam_authz_search
> (&(objectClass=posixAccount)(uid=$username)(host=$hostname))
>
> I've just added a bit to the manual page:
> http://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#pam_authz_search
Thank you also for the prompt reply with examples, I followed-up in
<http://bugs.debian.org/610925> ;-)
Thx, bye,
Gismo / Luca
pgpvAM7W6WIz7.pgp
Description: PGP signature
