Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 585729 - pam_ldap no way to perform simple/https auth if sasl compiled in
pam_ldap no way to perform simple/https auth if sasl compiled in
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss_ldap (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-25 15:42 EDT by cavanaug
Modified: 2010-07-27 11:29 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-27 11:29:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description cavanaug 2010-04-25 15:42:24 EDT
Description of problem:

After many hours of beating my head against the wall why this wasnt working.  
It appears that out of the box on RH etc the modules are built with sasl
support, which takes precedence over simple_bind for all cases.  :-(

There is no mechanism (at least that I can find) to force pam_ldap to use
simple authentication with the ldap server if nss_ldap was compiled with
sasl.   Yes, yes, I know this is horribly insecure with http, but it is
perfectly secure with https.

If you could please provide a config option in ldap.conf to force usage of
simple+https instead of sasl, I would much appreciate it as it will facilitate
the usage of ldap authentication without needing to recompile the module.

Right now I am completely unable to roll out a common linux login auth structure to our lab because of this limitation.  :-(


Version-Release number of selected component (if applicable):

RHEL 5.4


How reproducible:

Well you can pretty much simulate it with ldapsearch, but I did look at the code for pam_ldap and it seems clear that there is no way to override sasl once it has been compiled in.   

ldapsearch -M <simple query> -D "<bind account info"
  will fail because of sasl query
ldapsearch -x -M <simple query> -D "<bind account info"
  will work

As for pam_ldap reproducibility it will just fail with a sasl error.


Expected results:

Ability to use simple_bind with https and simple auth to authenticate to ldap server.

Additional info:

Please contact me directly if you need any additional information, I will be happy to help.

I have also submitted a defect to padl but it seems this defect is sort of limitation of how pam_ldap was built & packaged, so its a bit of both a RH & PADL defect.

http://bugzilla.padl.com/show_bug.cgi?id=419
Comment 1 Nalin Dahyabhai 2010-06-30 19:42:11 EDT
I'm afraid I don't understand how http is involved here.

While the simple_bind functions in libldap do call into the sasl bind functions to do the heavy lifting, they're told to perform a simple bind (by specifying NULL for the name of the SASL mechanism), and the request that is sent to the server is actually a proper, traditional simple bind request.

What does your ldap.conf configuration look like?  I don't get a SASL error from either nss_ldap or pam_ldap when I attempt to use them here, and a packet capture showed only simple requests being transmitted to the server.
Comment 2 Nalin Dahyabhai 2010-07-27 11:29:09 EDT
I'm going to close this as having insufficient data.  Please reopen if you can supply more information about what's going on here.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.