From owner-freebsd-bugs@FreeBSD.ORG Thu Sep 6 11:50:02 2007 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 796B216A420 for ; Thu, 6 Sep 2007 11:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 58E9D13C45A for ; Thu, 6 Sep 2007 11:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l86Bo27I059182 for ; Thu, 6 Sep 2007 11:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l86Bo2VC059178; Thu, 6 Sep 2007 11:50:02 GMT (envelope-from gnats) Resent-Date: Thu, 6 Sep 2007 11:50:02 GMT Resent-Message-Id: <200709061150.l86Bo2VC059178@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Daniel Bond" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECCB716A421 for ; Thu, 6 Sep 2007 11:48:52 +0000 (UTC) (envelope-from db@speedy.nsn.no) Received: from speedy.nsn.no (speedy.nsn.no [62.89.38.186]) by mx1.freebsd.org (Postfix) with ESMTP id 71E8913C465 for ; Thu, 6 Sep 2007 11:48:52 +0000 (UTC) (envelope-from db@speedy.nsn.no) Received: from speedy.nsn.no (localhost [127.0.0.1]) by speedy.nsn.no (8.13.8/8.13.8) with ESMTP id l86BBrTW064787; Thu, 6 Sep 2007 13:11:53 +0200 (CEST) (envelope-from db@speedy.nsn.no) Received: (from root@localhost) by speedy.nsn.no (8.13.8/8.13.8/Submit) id l86BBrte064784; Thu, 6 Sep 2007 13:11:53 +0200 (CEST) (envelope-from db) Message-Id: <200709061111.l86BBrte064784@speedy.nsn.no> Date: Thu, 6 Sep 2007 13:11:53 +0200 (CEST) From: "Daniel Bond" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Daniel Bond Subject: bin/116150: PAM module pam_unix.so seems to block account-checks for pam_ldap.so X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Bond List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 11:50:02 -0000 >Number: 116150 >Category: bin >Synopsis: PAM module pam_unix.so seems to block account-checks for pam_ldap.so >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Sep 06 11:50:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Daniel Bond >Release: FreeBSD 6.2-RELEASE-p4 amd64 >Organization: Network Solutions Norway ASA >Environment: System: FreeBSD speedy.nsn.no 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 15:04:52 UTC 2007 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/SMP amd64 The packages I have installed are: nss_ldap-1.256 RFC 2307 NSS module openldap-client-2.3.38 Open source LDAP client implementation pam_ldap-1.8.2 A pam module for authenticating with LDAP relevant lines from /etc/pam.d/sshd looks like this: # auth auth required pam_nologin.so no_warn auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass debug # account account sufficient /usr/local/lib/pam_ldap.so debug account required pam_login_access.so account required pam_unix.so debug relevant lines from ldap.conf: pam_filter objectclass=posixAccount #pam_check_host_attr yes pam_groupdn cn=flexiweb,ou=ssh-access,ou=groups,dc=example,dc=com pam_member_attribute member nss_base_passwd ou=company,ou=people,dc=example,dc=com nss_base_shadow ou=company,ou=people,dc=example,dc=com nss_base_group ou=posixgroups,ou=groups,dc=example,dc=com >Description: When seting up ldap authentication with services like ssh, it is common to have all users in a "users" OrganizationalUnit, but one usually don't want to allow all theese people to gain access to every server configured with ldap-authentication. I can login to this machine, but pam_ldap completly ignores "pam_groupdn" and "pam_check_host_attr yes". This means that all my ldap users have access to the FreeBSD's, while in Linux the users are restricted to "pam_groupdn". I'm running the same version of pam_ldap on FreeBSD and Linux clients, and pam_groupdn is documented in pam_ldap(5) under FreeBSD, which makes me believe that this is a problem regarding FreeBSD PAM, and not a PADL pam_ldap issue. I've been googling this issue for some hours, and I've seen quite a few posts about the same issue on the mailinglists, dating back to 2003-2004, but no answers, or description about what is causing this. The closest I've found is on a few solaris-lists, where the problem is traced back to pam_unix.so, because pam_unix.so is returning a positive status before the account-checks in the mod_ldap.so module is run. Could something simular be the problem with FreeBSD? I don't seem to be getting any debug-output from PAM either, even though this should be syslog'ed to /var/log/debug.log. Sorry for little information/no patch to fix this, but I've hit the wall trying to debug this, and seems there is no answers to be found in the mailinglists. Also, the issue with using /usr/bin/passwd for changing ldap-account-passwords seems to have been solved about this time in 2004, any chance we will be seeing this upstream soon? >How-To-Repeat: Setup FreeBSD 6.2 & PAM with nss_ldap/pam_ldap, and configure pam_groupdn or pam_check_host_attr. These settings will be ignored. >Fix: No known fix for this issue. >Release-Note: >Audit-Trail: >Unformatted: