RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 788751 - Account Policy Plugin does not work for simple binds when PAM Pass Through Auth plugin is enabled
Summary: Account Policy Plugin does not work for simple binds when PAM Pass Through Au...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-08 23:06 UTC by Rich Megginson
Modified: 2020-09-13 19:47 UTC (History)
3 users (show)

Fixed In Version: 389-ds-base-1.2.10.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: do a ldap bind going through the PAM plugin Consequence: postop plugins are not called Fix: make sure that the post op plugins are called Result: post op plugins should still be called. Like "Account Usability and "lastLoginTime"
Clone Of:
Environment:
Last Closed: 2012-06-20 07:14:18 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 39 0 None None None 2020-09-13 19:47:04 UTC
Red Hat Product Errata RHSA-2012:0813 0 normal SHIPPED_LIVE Low: 389-ds-base security, bug fix, and enhancement update 2012-06-19 19:29:15 UTC

Description Rich Megginson 2012-02-08 23:06:39 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/39

https://bugzilla.redhat.com/show_bug.cgi?id=712294

{{{
User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101
Firefox/4.0.1

If PAM passthrough plugin is used to process simple binds the account policy
plugin does not update the lastLoginTime attribute. I have not tested the other
aspects of Acoount Policy Plugin (the actions in case of account
inactivity/expiration).

Reproducible: Always

Steps to Reproduce:
1. Configure the account policy plugin to always update the lastLogin:

cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: Account Policy Plugin
nsslapd-pluginPath: libacctpolicy-plugin
nsslapd-pluginInitfunc: acct_policy_init
nsslapd-pluginType: object
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: acct-policy
nsslapd-pluginVersion: 1.0
nsslapd-pluginVendor: Hewlett-Packard Company
nsslapd-pluginDescription: Account Policy Plugin

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: config
alwaysrecordlogin: true


2. Test that the plugin works with a simple or SASL/GSSAPI bind:
ldapsearch -Y GSSAPI -h ldap-server -b "dc=example,dc=com" uid=testuser
lastLoginTime

...
lastLoginTime: 20110610071526Z
...


3. Configure the PAM Passthrough plugin (I tried 2 different values for
pamIDMapMethod: RDN and ENTRY) :
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamExcludeSuffix: o=NetscapeRoot
pamIDMapMethod: ENTRY
pamIDAttr: uid
pamFallback: TRUE
pamSecure: TRUE
pamService: ldapserver
pamIncludeSuffix: dc=example,dc=com


4. Try again the SASL/GSSAPI bind. It still updates the lastLoginTime attribute
:
ldapsearch -Y GSSAPI -h ldap-server -b "dc=example,dc=com" uid=testuser
lastLoginTime

...
lastLoginTime: 20110610071827Z
...

5. Now try a simple bind using PAM passthrough (not the userPassword attribute
in the entry!!!) :
ldapsearch -x -H ldap://ldap-server -b "dc=example,dc=com" -D
"uid=testuser,ou=users,dc=example,dc=com" -W  uid=testuser lastLoginTime
Enter LDAP Password: <...>





Actual Results:
...
lastLoginTime: 20110610071827Z
...

The lastLoginTime is not updated.

Expected Results:
The lastLoginTime should be updated.

SASL binds and simple binds using the userPassword attribute of the entry
continue to update the lastloginTime attribute but not simple binds using the
PAM Passthrough.

Maybe it is possible to solve the problem by simply changing the plugin
precedences/priorities? Don't know whether this solution may have some other
collateral damage.

If FreeIPA uses the kerberos backend with PAM passthrough in 389DS for simple
LDAP binds, this bug also concerns FreeIPA.

By the way, the wiki is not up to date
(http://directory.fedoraproject.org/wiki/Account_Policy_Design). It uses
loginTimeStamp in all the configuration examples (but shows the correct
lastLoginTime in the schema changes)
}}}
Comment 2 mreynolds 2012-05-11 20:32:41 UTC 
To verify

[1]  First PAM needs to be setup:

http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through


[2] Enable and Configure the account policy plugin to always update the lastLogin:

cn=Account Policy Plugin,cn=plugins,cn=config
nsslapd-pluginEnabled: on

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: config
alwaysrecordlogin: true


[3]  Test that the plugin works with a simple or SASL/GSSAPI bind:

ldapsearch -Y GSSAPI -h ldap-server -b "dc=example,dc=com" uid=testuser
lastLoginTime

--> should get value for lastLoginTime. you might need to run the search twice.
lastLoginTime: 20110610071526Z


[4]  Configure the PAM Passthrough plugin

dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
...
...
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamExcludeSuffix: o=NetscapeRoot
pamIDMapMethod: ENTRY
pamIDAttr: uid
pamFallback: TRUE
pamSecure: TRUE
pamService: ldapserver
pamIncludeSuffix: dc=example,dc=com


[5]  Rerun the search and make sure the lastLoginTIme is still be updated


[6]  Then run a search that uses PAM:

ldapsearch -x -H ldap://ldap-server -b "dc=example,dc=com" -D
"uid=testuser,ou=users,dc=example,dc=com" -w password  uid=testuser lastLoginTime


[7]  Verify that lastLoginTime is updated
Comment 3 mreynolds 2012-05-25 15:11:50 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: do a ldap bind going through the PAM plugin
Consequence: postop plugins are not called
Fix: make sure that the post op plugins are called
Result: post op plugins should still be called.  Like "Account Usability and "lastLoginTime"
Comment 4 errata-xmlrpc 2012-06-20 07:14:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0813.html
Note You need to log in before you can comment on or make changes to this bug.