From owner-freebsd-hackers  Mon Jul 19  7:55:41 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from voyager.fisicc-ufm.edu (ip-46-094.guate.net [200.12.46.94])
	by hub.freebsd.org (Postfix) with ESMTP id E5A4314BF6
	for <freebsd-hackers@FreeBSD.ORG>; Mon, 19 Jul 1999 07:55:03 -0700 (PDT)
	(envelope-from obonilla@voyager.fisicc-ufm.edu)
Received: (from obonilla@localhost)
	by voyager.fisicc-ufm.edu (8.9.3/8.9.3) id MAA13707
	for freebsd-hackers@FreeBSD.ORG; Fri, 16 Jul 1999 12:36:49 -0600 (CST)
	(envelope-from obonilla)
Date: Fri, 16 Jul 1999 12:36:48 -0600
From: Oscar Bonilla <obonilla@fisicc-ufm.edu>
To: freebsd-hackers@FreeBSD.ORG
Subject: Re: PAM & LDAP in FreeBSD
Message-ID: <19990716123648.C3049@fisicc-ufm.edu>
References: <19990715200336.A15050@fisicc-ufm.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6i
In-Reply-To: <19990715200336.A15050@fisicc-ufm.edu>; from Oscar Bonilla on Thu, Jul 15, 1999 at 08:03:36PM -0600
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Following up on my own post:

For LDAP to be seamlessly integrated into the system some of the libraries
have to be changed. Specifically the ones dealing with /etc/passwd and
user information. 

I've decided the best way to do this is to do what's done with NIS.
Basically handle the case where the user is not available in the local
databases. 

the idea is to have an entry in the /etc/passwd enabling LDAP lookups.
the Entry would be of the form

ldap:*:389:389:o=My Organization, c=BR:uid:ldap.myorg.com
       ^^^     ^^^^^^^^^^^^^^^^^^^^^^^ ^^^ ^^^^^^^^^^^^^^
        |                  |            |        |       
       port            base dn        attr     LDAP Server

This comes ftom a pam_ldap module I got from Pedro A M Vazquez 
<vazquez@iqm.unicamp.br>

I'll change all of the function in lib/libc/gen/getpwent.c to handle this
special case.

The only problem is that openldap has to be integrated on the base system
for this to compile... can I safely copy it to /usr/src/contrib?

How do I submit this after it's done? anyone cares about ldap :)?

Regards,

-Oscar


On Thu, Jul 15, 1999 at 08:03:36PM -0600, Oscar Bonilla wrote:
> While trying to use the pam_ldap module available from www.padl.com
> I discovered the following problem.
> 
> although the module authenticates just fine (using openldap)
> the login program fails to permit logins. I traced the problem to 
> login.c --- the following code is from login.c 
> 
> my questions are at the bottom.
> 
> ****************************************************************************
> 
> 
> 		pwd = getpwnam(username);
> 
> --------- at this point pwd == NULL due to the fact that the user
> --------- does not exist on the local passwd database... see below
> 
> 		/*
> 		 * if we have a valid account name, and it doesn't have a
> 		 * password, or the -f option was specified and the caller
> 		 * is root or the caller isn't changing their uid, don't
> 		 * authenticate.
> 		 */
> 		if (pwd != NULL) {
> 			if (pwd->pw_uid == 0)
> 				rootlogin = 1;
> 
> 			if (fflag && (uid == (uid_t)0 ||
> 				      uid == (uid_t)pwd->pw_uid)) {
> 				/* already authenticated */
> 				break;
> 			} else if (pwd->pw_passwd[0] == '\0') {
> 				if (!rootlogin || rootok) {
> 					/* pretend password okay */
> 					rval = 0;
> 					goto ttycheck;
> 				}
> 			}
> 		}
> 
> 		fflag = 0;
> 
> 		(void)setpriority(PRIO_PROCESS, 0, -4);
> 
> #ifndef NO_PAM
> 		/*
> 		 * Try to authenticate using PAM.  If a PAM system error
> 		 * occurs, perhaps because of a botched configuration,
> 		 * then fall back to using traditional Unix authentication.
> 		 */
> 		if ((rval = auth_pam()) == -1)
> 
> ------------- This returns PAM_SUCCESS since the pam_ldap module has
> ------------- successfully identified and authenticated the user.
> 
> #endif /* NO_PAM */
> 			rval = auth_traditional();
> 
> 		(void)setpriority(PRIO_PROCESS, 0, 0);
> 
> #ifndef NO_PAM
> 		/*
> 		 * PAM authentication may have changed "pwd" to the
> 		 * entry for the template user.  Check again to see if
> 		 * this is a root login after all.
> 		 */
> 		if (pwd != NULL && pwd->pw_uid == 0)
> 			rootlogin = 1;
> #endif /* NO_PAM */
> 
> 	ttycheck:
> 		/*
> 		 * If trying to log in as root without Kerberos,
> 		 * but with insecure terminal, refuse the login attempt.
> 		 */
> 
> ------------- This next if is the problem: pwd == NULL from above, 
> ------------- and the user doesn't get in.
> 
> 		if (pwd && !rval) {
> 			if (rootlogin && !rootok)
> 				refused(NULL, "NOROOT", 0);
> 			else	/* valid password & authenticated */
> 				break;
> 		}
> 
> 		(void)printf("Login incorrect\n");
> 		failures++;
> 
> ****************************************************************************
> 
> 1. what would be the right way to fix this? 
> 
> 2. after the user successfully logs in he still won't have an entry
>    in the /etc/passwd database, so all syscalls having to do with
>    identifying the user will fail... how can I have these funcions get
>    their info from LDAP?
> 
> I'm willing to patch and submit these programs, but would like some
> feedback about the right way to integrate this.
> 
> I checked with a friend who uses linux, and it appears linux doesn't have
> this problem since they use the /etc/nsswithc.conf to tell the system
> where to get info from. The nsswitch (resolver?) thing seems to 
> understand ldap.
> 
> Thanks folks,
> 
> -Oscar
> 
> -- 
> For PGP Public Key: finger obonilla@fisicc-ufm.edu
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message

-- 
For PGP Public Key: finger obonilla@fisicc-ufm.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message