Red Hat Bugzilla – Bug 585729
pam_ldap no way to perform simple/https auth if sasl compiled in
Last modified: 2010-07-27 11:29:09 EDT
Description of problem:
After many hours of beating my head against the wall why this wasnt working.
It appears that out of the box on RH etc the modules are built with sasl
support, which takes precedence over simple_bind for all cases. :-(
There is no mechanism (at least that I can find) to force pam_ldap to use
simple authentication with the ldap server if nss_ldap was compiled with
sasl. Yes, yes, I know this is horribly insecure with http, but it is
perfectly secure with https.
If you could please provide a config option in ldap.conf to force usage of
simple+https instead of sasl, I would much appreciate it as it will facilitate
the usage of ldap authentication without needing to recompile the module.
Right now I am completely unable to roll out a common linux login auth structure to our lab because of this limitation. :-(
Version-Release number of selected component (if applicable):
Well you can pretty much simulate it with ldapsearch, but I did look at the code for pam_ldap and it seems clear that there is no way to override sasl once it has been compiled in.
ldapsearch -M <simple query> -D "<bind account info"
will fail because of sasl query
ldapsearch -x -M <simple query> -D "<bind account info"
As for pam_ldap reproducibility it will just fail with a sasl error.
Ability to use simple_bind with https and simple auth to authenticate to ldap server.
Please contact me directly if you need any additional information, I will be happy to help.
I have also submitted a defect to padl but it seems this defect is sort of limitation of how pam_ldap was built & packaged, so its a bit of both a RH & PADL defect.
I'm afraid I don't understand how http is involved here.
While the simple_bind functions in libldap do call into the sasl bind functions to do the heavy lifting, they're told to perform a simple bind (by specifying NULL for the name of the SASL mechanism), and the request that is sent to the server is actually a proper, traditional simple bind request.
What does your ldap.conf configuration look like? I don't get a SASL error from either nss_ldap or pam_ldap when I attempt to use them here, and a packet capture showed only simple requests being transmitted to the server.
I'm going to close this as having insufficient data. Please reopen if you can supply more information about what's going on here. Thanks!