585729 – pam_ldap no way to perform simple/https auth if sasl compiled in

Bug 585729 - pam_ldap no way to perform simple/https auth if sasl compiled in

Summary: pam_ldap no way to perform simple/https auth if sasl compiled in

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	nss_ldap
Sub Component:
Version:	5.4
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-04-25 19:42 UTC by cavanaug
Modified:	2010-07-27 15:29 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-07-27 15:29:09 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description cavanaug 2010-04-25 19:42:24 UTC

Description of problem:

After many hours of beating my head against the wall why this wasnt working.
It appears that out of the box on RH etc the modules are built with sasl
support, which takes precedence over simple_bind for all cases. :-(

There is no mechanism (at least that I can find) to force pam_ldap to use
simple authentication with the ldap server if nss_ldap was compiled with
sasl. Yes, yes, I know this is horribly insecure with http, but it is
perfectly secure with https.

If you could please provide a config option in ldap.conf to force usage of
simple+https instead of sasl, I would much appreciate it as it will facilitate
the usage of ldap authentication without needing to recompile the module.

Right now I am completely unable to roll out a common linux login auth structure to our lab because of this limitation. :-(

Version-Release number of selected component (if applicable):

RHEL 5.4

How reproducible:

Well you can pretty much simulate it with ldapsearch, but I did look at the code for pam_ldap and it seems clear that there is no way to override sasl once it has been compiled in.

ldapsearch -M <simple query> -D "<bind account info"
will fail because of sasl query
ldapsearch -x -M <simple query> -D "<bind account info"
will work

As for pam_ldap reproducibility it will just fail with a sasl error.

Expected results:

Ability to use simple_bind with https and simple auth to authenticate to ldap server.

Additional info:

Please contact me directly if you need any additional information, I will be happy to help.

I have also submitted a defect to padl but it seems this defect is sort of limitation of how pam_ldap was built & packaged, so its a bit of both a RH & PADL defect.

http://bugzilla.padl.com/show_bug.cgi?id=419

Comment 1 Nalin Dahyabhai 2010-06-30 23:42:11 UTC

I'm afraid I don't understand how http is involved here.

While the simple_bind functions in libldap do call into the sasl bind functions to do the heavy lifting, they're told to perform a simple bind (by specifying NULL for the name of the SASL mechanism), and the request that is sent to the server is actually a proper, traditional simple bind request.

What does your ldap.conf configuration look like?  I don't get a SASL error from either nss_ldap or pam_ldap when I attempt to use them here, and a packet capture showed only simple requests being transmitted to the server.

Comment 2 Nalin Dahyabhai 2010-07-27 15:29:09 UTC

I'm going to close this as having insufficient data.  Please reopen if you can supply more information about what's going on here.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.