Bug 788751
Summary: | Account Policy Plugin does not work for simple binds when PAM Pass Through Auth plugin is enabled | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Rich Megginson <rmeggins> |
Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.3 | CC: | jgalipea, mreynolds, sramling |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.2.10.0-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: do a ldap bind going through the PAM plugin
Consequence: postop plugins are not called
Fix: make sure that the post op plugins are called
Result: post op plugins should still be called. Like "Account Usability and "lastLoginTime"
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-20 07:14:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rich Megginson
2012-02-08 23:06:39 UTC
To verify [1] First PAM needs to be setup: http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through [2] Enable and Configure the account policy plugin to always update the lastLogin: cn=Account Policy Plugin,cn=plugins,cn=config nsslapd-pluginEnabled: on cn=config,cn=Account Policy Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: config alwaysrecordlogin: true [3] Test that the plugin works with a simple or SASL/GSSAPI bind: ldapsearch -Y GSSAPI -h ldap-server -b "dc=example,dc=com" uid=testuser lastLoginTime --> should get value for lastLoginTime. you might need to run the search twice. lastLoginTime: 20110610071526Z [4] Configure the PAM Passthrough plugin dn: cn=PAM Pass Through Auth,cn=plugins,cn=config ... ... pamMissingSuffix: ALLOW pamExcludeSuffix: cn=config pamExcludeSuffix: o=NetscapeRoot pamIDMapMethod: ENTRY pamIDAttr: uid pamFallback: TRUE pamSecure: TRUE pamService: ldapserver pamIncludeSuffix: dc=example,dc=com [5] Rerun the search and make sure the lastLoginTIme is still be updated [6] Then run a search that uses PAM: ldapsearch -x -H ldap://ldap-server -b "dc=example,dc=com" -D "uid=testuser,ou=users,dc=example,dc=com" -w password uid=testuser lastLoginTime [7] Verify that lastLoginTime is updated Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: do a ldap bind going through the PAM plugin Consequence: postop plugins are not called Fix: make sure that the post op plugins are called Result: post op plugins should still be called. Like "Account Usability and "lastLoginTime" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0813.html |