Bug 585729

Summary: pam_ldap no way to perform simple/https auth if sasl compiled in
Product: Red Hat Enterprise Linux 5 Reporter: cavanaug <cavanaughwww+public>
Component: nss_ldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: cavanaughwww+public, jplans
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-27 15:29:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description cavanaug 2010-04-25 19:42:24 UTC
Description of problem:

After many hours of beating my head against the wall why this wasnt working.  
It appears that out of the box on RH etc the modules are built with sasl
support, which takes precedence over simple_bind for all cases.  :-(

There is no mechanism (at least that I can find) to force pam_ldap to use
simple authentication with the ldap server if nss_ldap was compiled with
sasl.   Yes, yes, I know this is horribly insecure with http, but it is
perfectly secure with https.

If you could please provide a config option in ldap.conf to force usage of
simple+https instead of sasl, I would much appreciate it as it will facilitate
the usage of ldap authentication without needing to recompile the module.

Right now I am completely unable to roll out a common linux login auth structure to our lab because of this limitation.  :-(

Version-Release number of selected component (if applicable):

RHEL 5.4

How reproducible:

Well you can pretty much simulate it with ldapsearch, but I did look at the code for pam_ldap and it seems clear that there is no way to override sasl once it has been compiled in.   

ldapsearch -M <simple query> -D "<bind account info"
  will fail because of sasl query
ldapsearch -x -M <simple query> -D "<bind account info"
  will work

As for pam_ldap reproducibility it will just fail with a sasl error.

Expected results:

Ability to use simple_bind with https and simple auth to authenticate to ldap server.

Additional info:

Please contact me directly if you need any additional information, I will be happy to help.

I have also submitted a defect to padl but it seems this defect is sort of limitation of how pam_ldap was built & packaged, so its a bit of both a RH & PADL defect.


Comment 1 Nalin Dahyabhai 2010-06-30 23:42:11 UTC
I'm afraid I don't understand how http is involved here.

While the simple_bind functions in libldap do call into the sasl bind functions to do the heavy lifting, they're told to perform a simple bind (by specifying NULL for the name of the SASL mechanism), and the request that is sent to the server is actually a proper, traditional simple bind request.

What does your ldap.conf configuration look like?  I don't get a SASL error from either nss_ldap or pam_ldap when I attempt to use them here, and a packet capture showed only simple requests being transmitted to the server.

Comment 2 Nalin Dahyabhai 2010-07-27 15:29:09 UTC
I'm going to close this as having insufficient data.  Please reopen if you can supply more information about what's going on here.  Thanks!