Bug 208576 - I can`t use two ldap tree for authorization
I can`t use two ldap tree for authorization
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap (Show other bugs)
4.4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-29 10:11 EDT by Alex Lyashkov
Modified: 2012-06-20 09:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 09:32:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
RHEL3 worked RPM (21.50 KB, application/octet-stream)
2006-09-29 11:22 EDT, Dmitriy Kirhlarov
no flags Details

  None (edit)
Description Alex Lyashkov 2006-09-29 10:11:45 EDT
Description of problem:


I have two ldap tree -- o=microspace and o=microspace-test for
authorization. Problem is -- on RHEL4 with last current package
(nss_ldap-226-13.i386.rpm) I can't use o=microspace-test for
authorization. For example (from root):
# su - dkirhlarov
su: incorrect password

Version-Release number of selected component (if applicable):

nss_ldap-226-13.i386.rpm

How reproducible:
100%

Steps to Reproduce:

  I have two ldap tree -- o=microspace and o=microspace-test for
authorization. Problem is -- on RHEL4 with last current package
(nss_ldap-226-13.i386.rpm) I can't use o=microspace-test for
authorization. For example (from root):
# su - dkirhlarov
su: incorrect password
But, I can authorize in both trees RHEL3 with my own RPM's with
nss_ldap-226 and pam_ldap-176 and FreeBSD hosts with nss_ldap-1.251
and pam_ldap-1.8.2.

My config files.
slapd.conf:
...
access to
        dn.regex="^(.+)o=micro([^,]+)$"
        attrs=userPassword,sambaLMPassword,sambaNTPassword
        by anonymous auth
        by self write
        by dn.exact,expand="uid=ldap-sync,ou=virtusers,o=micro$2" read
        by * none

access to * by * read
...
security ssf=128
...
TLSCertificateFile /etc/openldap/ssl/cinfra01.crt
TLSCertificateKeyFile /etc/openldap/ssl/cinfra01.key
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
...
database        bdb
suffix          "o=microspace-test"
rootdn          "uid=ldap-upddn,ou=virtusers,o=microspace-test"
rootpw          it's_a_secret_:)
directory       /var/openldap-data/microspace-test
checkpoint      32 8
...
database        bdb
suffix          "o=microspace"
rootdn          "uid=ldap-upddn,ou=virtusers,o=microspace"
rootpw          it's_a_secret_:)
directory       /var/openldap-data/microspace
checkpoint      32 8
...

/etc/pam.d/su:
auth       sufficient   /lib/security/$ISA/pam_rootok.so
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
session    required     /lib/security/$ISA/pam_selinux.so close
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
session    required     /lib/security/$ISA/pam_selinux.so open multiple
session    optional     /lib/security/$ISA/pam_xauth.so

/etc/pam.d/system-auth:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required    /lib/security/$ISA/pam_ldap.so ignore_authinfo_unavail
ignore_unknown_user
account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/
umask=0077
session     required      /lib/security/$ISA/pam_limits.so
session     sufficient      /lib/security/$ISA/pam_ldap.so
session     required      /lib/security/$ISA/pam_unix.so

With this config not work:

/etc/{,nss_}ldap.conf:
uri ldap://cinfra01
base ou=users,o=microspace-test
ldap_version 3
scope one
pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_password md5
ssl start_tls
tls_cacertfile /etc/ssl/cacert.pem
nss_base_passwd ou=users,o=microspace-test?one
nss_base_shadow ou=users,o=microspace-test?one
nss_base_group ou=groups,o=microspace-test?one
bind_timelimit 4
bind_policy hard
idle_timelimit 4
sudoers_base  ou=SUDOers,o=microspace-test

With this config work fine:

uri ldap://cinfra01
base ou=users,o=microspace
ldap_version 3
scope one
pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_password md5
ssl start_tls
tls_cacertfile /etc/ssl/cacert.pem
nss_base_passwd ou=users,o=microspace?one
nss_base_shadow ou=users,o=microspace?one
nss_base_group ou=groups,o=microspace?one
bind_timelimit 4
bind_policy hard
idle_timelimit 4
sudoers_base  ou=SUDOers,o=microspace


uid=dkirhlarov,ou=users,o=microspace-test ldif:

dn: uid=dkirhlarov,ou=users,o=microspace-test
loginShell: /bin/bash
gidNumber: 200
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: ldapPublicKey
sn: dkirhlarov
uid: dkirhlarov
homeDirectory: /home/dkirhlarov
gecos: Dmitriy Kirhlarov
uidNumber: 712
cn: dkirhlarov
userPassword:: it's_a_secret_:)
sshPublicKey:: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBSUVBdmRTVm90UnU3bEd
 JRWJibUxub09RUDlGMGJFOWlvSG8wNTh0S1VnRzdMblhVV0p5dFg4SzMwbFRSVnd1eUQ3MFFJcFdX
 YU9mQ3dWbTVEUWp5U1pCVGFOZ01MR3ZkdTBHOXhOcXpRZTVwNHdNRGRxZ3QweGJlVDFhbXIyald0Q
 zNld0VvekhqYi85TFFjbzlVVjhxeUo5bzVQT09mSkYrNUkzc2FRaVBvN24wPSBka2lyaGxhcm92QG
 RpbW1hLm1vcy1vaWxzcGFjZQo=
sshPublicKey:: c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFKamNJa0lBUmF0Y04zcHJraXZ
 3a0RycjlEeWY2NUNQV2luLzVkQVUyRkZkbDNuTnhDelg2VXpoUVlhMEVlZW5ZQ0Q3SUxhcTFXSWwx
 R1l2UStCaldmNldkcFplSDdKMTZzK2FhOXprQzZTSktObGRaZkx1d0Vrd2RJYW1SNmgvdVVKVHZ6V
 m9TM0tDMURRcXpKenQvVERuV0VjdVQ5OU5uZk1LYjNyc3dXY1pBQUFBRlFDeVVpWStGYWlmanNhRW
 ZZbXFuQnF1NnNuWkd3QUFBSUFVbjRpOWlRQ0xlU0E2SjQxOTVGOHc3TzZMTEF0N1NZM1JRZGwxSFR
 6TktjMTRPWGN5NFZWSGI0QzhIbDdnWEhNSUtvQjFsZHVhUnlHTGcrbzN5UTUzSkhMVUJqSTBFTkl4
 blNURTdlTFdLZ3RHbDNrT0VxdlVvaVR2TmNjaGxkd3A5SHZLOWJRM1k0dS85T2ZiM29nZzZ6VlAzS
 TYrRzdQZWhTcXNJblhXWEFBQUFJQTVYUElmdWJaZ2MzRE5VZkFlSXB4YTV5c2JLc2I2dzdSWjNNSU
 dGcCtFc3lFNzVyWHpRcHZQTnNGeWdKWmZGNWkvc0pwZ0ovRWc3dlZWbGUwSEROaWl2UU9xUG9Eamd
 zWmxVc3FpVU00ZGc5NWVDWWIxWkhYelZTYUVNcGVZd0VNTlQ5YWREU0pOVGRhNVpIZ0dwTVdLZ0xw
 WHlHZEhLM3B1QlExZXVCeWZIUT09IGRraXJobGFyb3ZAZGltbWEubW9zLW9pbHNwYWNlCg==


uid=dkirhlarov,ou=users,o=microspace ldif:

dn: uid=dkirhlarov,ou=users,o=microspace
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: shadowAccount
objectClass: ldapPublicKey
uid: dkirhlarov
uidNumber: 712
gidNumber: 200
gecos: Dmitriy Kirhlarov
sn: Kirhlarov
homeDirectory: /home/dkirhlarov
loginShell: /bin/bash
sambaHomePath: \\%L\home
sambaHomeDrive: H:
sambaPrimaryGroupSID: S-1-5-21-904686856-438036272-2545251039-1401
sambaProfilePath: \\%L\Profiles\%U
sambaPwdMustChange: 2147483647
o: microspace
sambaLogonTime: 0
sambaKickoffTime: 2147483647
sambaLogoffTime: 2147483647
sambaPwdCanChange: 0
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-904686856-438036272-2545251039-2424
sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAACBAJjcIkIARatcN3prkivwkDrr9Dyf65CPWin/
 5dAU2FFdl3nNxCzX6UzhQYa0EeenYCD7ILaq1WIl1GYvQ+BjWf6WdpZeH7J16s+aa9zkC6SJKNldZ
 fLuwEkwdIamR6h/uUJTvzVoS3KC1DQqzJzt/TDnWEcuT99NnfMKb3rswWcZAAAAFQCyUiY+Faifjs
 aEfYmqnBqu6snZGwAAAIAUn4i9iQCLeSA6J4195F8w7O6LLAt7SY3RQdl1HTzNKc14OXcy4VVHb4C
 8Hl7gXHMIKoB1lduaRyGLg+o3yQ53JHLUBjI0ENIxnSTE7eLWKgtGl3kOEqvUoiTvNcchldwp9HvK
 9bQ3Y4u/9Ofb3ogg6zVP3I6+G7PehSqsInXWXAAAAIA5XPIfubZgc3DNUfAeIpxa5ysbKsb6w7RZ3
 MIGFp+EsyE75rXzQpvPNsFygJZfF5i/sJpgJ/Eg7vVVle0HDNiivQOqPoDjgsZlUsqiUM4dg95eCY
 b1ZHXzVSaEMpeYwEMNT9adDSJNTda5ZHgGpMWKgLpXyGdHK3puBQ1euByfHQ==
dkirhlarov
sshPublicKey:: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBSUVBdmRTVm90UnU3bEd
 JRWJibUxub09RUDlGMGJFOWlvSG8wNTh0S1VnRzdMblhVV0p5dFg4SzMwbFRSVnd1eUQ3MFFJcFdX
 YU9mQ3dWbTVEUWp5U1pCVGFOZ01MR3ZkdTBHOXhOcXpRZTVwNHdNRGRxZ3QweGJlVDFhbXIyald0Q
 zNld0VvekhqYi85TFFjbzlVVjhxeUo5bzVQT09mSkYrNUkzc2FRaVBvN24wPSBka2lyaGxhcm92QG
 RpbW1hLm1vcy1vaWxzcGFjZQo=
givenName: Dmitriy
mail: dkirhlarov@microspace.com
cn: Dmitriy Kirhlarov
initials: D.B.
sambaDomainName: microspace
sambaLMPassword: it's_a_secret_:)
sambaNTPassword: it's_a_secret_:)
sambaPwdLastSet: 1151920822
shadowLastChange: 13332
userPassword:: it's_a_secret_:)

Actual results:
authorization failed

Expected results:
authorization work fine

Additional info:
I can authorize in both trees RHEL3 with my own RPM's with
nss_ldap-226 and pam_ldap-176 and FreeBSD hosts with nss_ldap-1.251
and pam_ldap-1.8.2.
Comment 1 Dmitriy Kirhlarov 2006-09-29 11:22:29 EDT
Created attachment 137400 [details]
RHEL3 worked RPM

My own spec file for nss_ldap on RHEL3.
RHEL3 work fine with RPM builded from this spec-file.

Suppose, problem in pam_ldap version. Hope, it can help with resolving problem
Comment 3 Jiri Pallich 2012-06-20 09:32:22 EDT
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.

Note You need to log in before you can comment on or make changes to this bug.