Red Hat Bugzilla – Bug 26029
pam_unix.so prevents pam_ldap.so from enforcing group membership
Last modified: 2007-04-18 12:31:10 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
When using "pam_groupdn" in /etc/ldap.conf for pam_ldap.so (from
nss_ldap), group membership is not enforced.
This is being caused by 'account sufficient pam_unix.so'
in /etc/pam.d/system-auth. LDAP group membership enforcement works when i
comment this line out of system-auth.
Steps to Reproduce:
1. Setup nss_ldap to enforce group membership.
2. Pick an account whose dn is not a member of the required group.
3. Login with account from 2 above on an LDAP client machine.
Actual Results: Login succeeds.
Expected Results: Login should fail with with the following notice:
You must be a <attr> of <group> to login.
where attr is an ldap attribute & group is a posixGroup
This works just fine if I comment account sufficient pam_unix.so out
This functionality is critical for deploying cool, centralized LDAP
This doesn't work in Guinness either.
Nice catch. The account management supplied by pam_unix amounts to verifying
that the user's shadow information (if there is any) can be read.
To verify, if you change the pam_unix account line from 'sufficient' to
'required', does it work as expected?
Yes, changing sufficient to required fixes it. Thanks!
We (Red Hat) should really try hard to fix this before next release.
Caveat: changing it to required also breaks local a local root user. Try this:
account required /lib/security/pam_unix.so
account [default=ok user_unknown=ignore] /lib/security/pam_ldap.so
The syntax looks a little strange, but it appears to work slightly better on my
test machine. Since the system-auth file is generated by authconfig, I'm going
to reclassify this as an authconfig bug. It'll be fixed in authconfig 4.1.1.
Am using: Fisher plus authconfig-4.1.1-1 & pam-0.74-5
From my testing, authentication now works in the following way: 1) LDAP users
can authenticate against ldap, 2) root can authenticate against local files.
However, if I stop slapd, root can no longer authenticate. Commenting out
pam_ldap.so fixes it.
If slapd is stopped, logging in via login as root produces the message: "Error
in service module".
Try authconfig-4.1.3, which until it shows up in Raw Hide is up in
http://people.redhat.com/nalin/test/. It should also set pam_ldap to ignore
server errors. One of our developers tripped over this problem when he
misspelled the server's name, so I think we've got it fixed.
Nope. New info. Am using: Stock Fisher plus authconfig-4.1.3-1,
nss_ldap-142-2, & pam-0.74-5
slapd is stopped, root's login info is in /etc/passwd, /etc/group, & /etc/shadow
If /etc/ldap.conf is pointed at 127.0.0.1 with TLS on, root can login. With TLS
off, login still produces an "Error in service module" error.
(I'm assuming TLS off is safe for localhost, if not then I guess I don't really
care about this bug).
Thanks as always!
Try adding "service_err=ignore" to the list of flags within the '[' and ']'.
This will keep the module from having an effect if the server is down. I'm a
little uncomfortable with having it allow the user access if the server is
unreachable, so even though I've made the change to authconfig's CVS tree (it'll
pop up in 4.1.5), it may get reverted before the final release.