|

»

»

userPassword being compared on client end

View: New views

3 Messages — Rating Filter: Alert me

	userPassword being compared on client end by Daniel Appleby :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, I am trying to setup pam_ldap so that it first searches my ldap server anonymously to find the users dn and then attempt to bind using the dn and the password the user has provided. Basically after checking the ldap server logs it seems to be trying to retreive the userPassword atrribute from a search and then compare it on the client end. As our user passwords are locked down to the "SELF" right so it fails. For the ldap side of things the attributes and structure is basted on rfc2307. My system-auth file (for auth section): auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so I have a feeling it's pam_unix getting in the way so i commented it out and still same issue (trying to get the userPassword attribute back from the server). Thanks in advance for any help. Regards, Daniel
	Re: userPassword being compared on client end by Howard Chu :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Daniel Appleby wrote: > Hi, > > I am trying to setup pam_ldap so that it first searches my ldap server anonymously to find the users dn and then attempt to bind using the dn and the password the user has provided. Basically after checking the ldap server logs it seems to be trying to retreive the userPassword atrribute from a search and then compare it on the client end. As our user passwords are locked down to the "SELF" right so it fails. > > For the ldap side of things the attributes and structure is basted on rfc2307. > > My system-auth file (for auth section): > > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth required /lib/security/$ISA/pam_deny.so > > I have a feeling it's pam_unix getting in the way so i commented it out > and still same issue (trying to get the userPassword attribute back from the server). > > Thanks in advance for any help. Yes, pam_unix will trigger that behavior since it will just use getpwnam/getspnam. If you have nss_ldap configured, those functions will result in the LDAP lookups you're seeing. But it's odd that you say that commenting out pam_unix doesn't change the behavior. Very likely the authentication program you're testing with is still running with the previous settings, you probably need to kill it / restart it. Typically the way to prevent pam_unix from trying is to list pam_ldap first. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
	RE: userPassword being compared on client end by Daniel Appleby :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Daniel Appleby wrote: > Hi, > > I am trying to setup pam_ldap so that it first searches my ldap server anonymously to find the users dn and then attempt to bind using the dn and the password the user has provided. Basically after checking the ldap server logs it seems to be trying to retreive the userPassword atrribute from a search and then compare it on the client end. As our user passwords are locked down to the "SELF" right so it fails. > > For the ldap side of things the attributes and structure is basted on rfc2307. > > My system-auth file (for auth section): > > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth required /lib/security/$ISA/pam_deny.so > > I have a feeling it's pam_unix getting in the way so i commented it out > and still same issue (trying to get the userPassword attribute back from the server). > > Thanks in advance for any help. > > Yes, pam_unix will trigger that behavior since it will just use > getpwnam/getspnam. If you have nss_ldap configured, those functions will > result in the LDAP lookups you're seeing. > > But it's odd that you say that commenting out pam_unix doesn't change the > behavior. Very likely the authentication program you're testing with is still > running with the previous settings, you probably need to kill it / restart it. > >Typically the way to prevent pam_unix from trying is to list pam_ldap first. Sorted out the issue. The openssh defaults had changed between versions so UsePam defaulted to no. Thanks for your assistance. Regards, Daniel