Bug 513074
Summary: | Pam passthrough plugin does not verify the existence of the bind DN | ||
---|---|---|---|
Product: | [Retired] 389 | Reporter: | Andrey Ivanov <andrey.ivanov> |
Component: | Server - Plugins | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED NOTABUG | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 1.2.1 | CC: | benl, edewata |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-03-11 15:58:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 543590 |
Description
Andrey Ivanov
2009-07-21 21:20:15 UTC
I think this should be configurable. There are some cases where you might not want to verify the existence of the entry, you might want to allow the bind to proceed. This is how the current (non-pam) passthrough auth works - the authentication is passed through to a remote ldap server, and the auth identity is set to the remote DN. This allows you to specify ACIs on the local server that apply to that DN, even though the entry with that DN does not exist on the local server. The same thing may apply (in the future) to certain types of SASL binds, such as SASL GSSAPI (the user exists in kerberos but does not have to have an entry in the DS) and EXTERNAL (the user's cert exists and can be verified, but does not have to have an entry in the DS). Configurable is ok. The thing is that the current behaviour desorientates users/developers - they put an erroneous DN in the bind DN and put their (correct) password. They are successfully bound. But when they try to make any reads/modifications they do not have all their rights. Hi Andrey, it seems that the functionality to verify the bind DN existence already exists using pamIDMapMethod: ENTRY and pamIDAttr: uid. As the method name implies, the ENTRY method will verify the entry's full DN whereas the RDN method will verify just the RDN part. Will this work for you? Thanks. Hi Endi, Yes, your solution is exactly what i wanted and it works as i expected (ldap_bind: No such object (32) error where necessary). Thank you! I think we can close this bug. |