Date: Fri, 16 Jul 1999 12:36:48 -0600 From: Oscar Bonilla <obonilla@fisicc-ufm.edu> To: freebsd-hackers@FreeBSD.ORG Subject: Re: PAM & LDAP in FreeBSD Message-ID: <19990716123648.C3049@fisicc-ufm.edu> In-Reply-To: <19990715200336.A15050@fisicc-ufm.edu>; from Oscar Bonilla on Thu, Jul 15, 1999 at 08:03:36PM -0600 References: <19990715200336.A15050@fisicc-ufm.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Following up on my own post:
For LDAP to be seamlessly integrated into the system some of the libraries
have to be changed. Specifically the ones dealing with /etc/passwd and
user information.
I've decided the best way to do this is to do what's done with NIS.
Basically handle the case where the user is not available in the local
databases.
the idea is to have an entry in the /etc/passwd enabling LDAP lookups.
the Entry would be of the form
ldap:*:389:389:o=My Organization, c=BR:uid:ldap.myorg.com
^^^ ^^^^^^^^^^^^^^^^^^^^^^^ ^^^ ^^^^^^^^^^^^^^
| | | |
port base dn attr LDAP Server
This comes ftom a pam_ldap module I got from Pedro A M Vazquez
<vazquez@iqm.unicamp.br>
I'll change all of the function in lib/libc/gen/getpwent.c to handle this
special case.
The only problem is that openldap has to be integrated on the base system
for this to compile... can I safely copy it to /usr/src/contrib?
How do I submit this after it's done? anyone cares about ldap :)?
Regards,
-Oscar
On Thu, Jul 15, 1999 at 08:03:36PM -0600, Oscar Bonilla wrote:
> While trying to use the pam_ldap module available from www.padl.com
> I discovered the following problem.
>
> although the module authenticates just fine (using openldap)
> the login program fails to permit logins. I traced the problem to
> login.c --- the following code is from login.c
>
> my questions are at the bottom.
>
> ****************************************************************************
>
>
> pwd = getpwnam(username);
>
> --------- at this point pwd == NULL due to the fact that the user
> --------- does not exist on the local passwd database... see below
>
> /*
> * if we have a valid account name, and it doesn't have a
> * password, or the -f option was specified and the caller
> * is root or the caller isn't changing their uid, don't
> * authenticate.
> */
> if (pwd != NULL) {
> if (pwd->pw_uid == 0)
> rootlogin = 1;
>
> if (fflag && (uid == (uid_t)0 ||
> uid == (uid_t)pwd->pw_uid)) {
> /* already authenticated */
> break;
> } else if (pwd->pw_passwd[0] == '\0') {
> if (!rootlogin || rootok) {
> /* pretend password okay */
> rval = 0;
> goto ttycheck;
> }
> }
> }
>
> fflag = 0;
>
> (void)setpriority(PRIO_PROCESS, 0, -4);
>
> #ifndef NO_PAM
> /*
> * Try to authenticate using PAM. If a PAM system error
> * occurs, perhaps because of a botched configuration,
> * then fall back to using traditional Unix authentication.
> */
> if ((rval = auth_pam()) == -1)
>
> ------------- This returns PAM_SUCCESS since the pam_ldap module has
> ------------- successfully identified and authenticated the user.
>
> #endif /* NO_PAM */
> rval = auth_traditional();
>
> (void)setpriority(PRIO_PROCESS, 0, 0);
>
> #ifndef NO_PAM
> /*
> * PAM authentication may have changed "pwd" to the
> * entry for the template user. Check again to see if
> * this is a root login after all.
> */
> if (pwd != NULL && pwd->pw_uid == 0)
> rootlogin = 1;
> #endif /* NO_PAM */
>
> ttycheck:
> /*
> * If trying to log in as root without Kerberos,
> * but with insecure terminal, refuse the login attempt.
> */
>
> ------------- This next if is the problem: pwd == NULL from above,
> ------------- and the user doesn't get in.
>
> if (pwd && !rval) {
> if (rootlogin && !rootok)
> refused(NULL, "NOROOT", 0);
> else /* valid password & authenticated */
> break;
> }
>
> (void)printf("Login incorrect\n");
> failures++;
>
> ****************************************************************************
>
> 1. what would be the right way to fix this?
>
> 2. after the user successfully logs in he still won't have an entry
> in the /etc/passwd database, so all syscalls having to do with
> identifying the user will fail... how can I have these funcions get
> their info from LDAP?
>
> I'm willing to patch and submit these programs, but would like some
> feedback about the right way to integrate this.
>
> I checked with a friend who uses linux, and it appears linux doesn't have
> this problem since they use the /etc/nsswithc.conf to tell the system
> where to get info from. The nsswitch (resolver?) thing seems to
> understand ldap.
>
> Thanks folks,
>
> -Oscar
>
> --
> For PGP Public Key: finger obonilla@fisicc-ufm.edu
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
--
For PGP Public Key: finger obonilla@fisicc-ufm.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990716123648.C3049>