Red Hat Bugzilla – Bug 788751
Account Policy Plugin does not work for simple binds when PAM Pass Through Auth plugin is enabled
Last modified: 2012-06-20 03:14:18 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/39 https://bugzilla.redhat.com/show_bug.cgi?id=712294 {{{ User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 If PAM passthrough plugin is used to process simple binds the account policy plugin does not update the lastLoginTime attribute. I have not tested the other aspects of Acoount Policy Plugin (the actions in case of account inactivity/expiration). Reproducible: Always Steps to Reproduce: 1. Configure the account policy plugin to always update the lastLogin: cn=Account Policy Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Account Policy Plugin nsslapd-pluginPath: libacctpolicy-plugin nsslapd-pluginInitfunc: acct_policy_init nsslapd-pluginType: object nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginId: acct-policy nsslapd-pluginVersion: 1.0 nsslapd-pluginVendor: Hewlett-Packard Company nsslapd-pluginDescription: Account Policy Plugin cn=config,cn=Account Policy Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: config alwaysrecordlogin: true 2. Test that the plugin works with a simple or SASL/GSSAPI bind: ldapsearch -Y GSSAPI -h ldap-server -b "dc=example,dc=com" uid=testuser lastLoginTime ... lastLoginTime: 20110610071526Z ... 3. Configure the PAM Passthrough plugin (I tried 2 different values for pamIDMapMethod: RDN and ENTRY) : pamMissingSuffix: ALLOW pamExcludeSuffix: cn=config pamExcludeSuffix: o=NetscapeRoot pamIDMapMethod: ENTRY pamIDAttr: uid pamFallback: TRUE pamSecure: TRUE pamService: ldapserver pamIncludeSuffix: dc=example,dc=com 4. Try again the SASL/GSSAPI bind. It still updates the lastLoginTime attribute : ldapsearch -Y GSSAPI -h ldap-server -b "dc=example,dc=com" uid=testuser lastLoginTime ... lastLoginTime: 20110610071827Z ... 5. Now try a simple bind using PAM passthrough (not the userPassword attribute in the entry!!!) : ldapsearch -x -H ldap://ldap-server -b "dc=example,dc=com" -D "uid=testuser,ou=users,dc=example,dc=com" -W uid=testuser lastLoginTime Enter LDAP Password: <...> Actual Results: ... lastLoginTime: 20110610071827Z ... The lastLoginTime is not updated. Expected Results: The lastLoginTime should be updated. SASL binds and simple binds using the userPassword attribute of the entry continue to update the lastloginTime attribute but not simple binds using the PAM Passthrough. Maybe it is possible to solve the problem by simply changing the plugin precedences/priorities? Don't know whether this solution may have some other collateral damage. If FreeIPA uses the kerberos backend with PAM passthrough in 389DS for simple LDAP binds, this bug also concerns FreeIPA. By the way, the wiki is not up to date (http://directory.fedoraproject.org/wiki/Account_Policy_Design). It uses loginTimeStamp in all the configuration examples (but shows the correct lastLoginTime in the schema changes) }}}
To verify [1] First PAM needs to be setup: http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through [2] Enable and Configure the account policy plugin to always update the lastLogin: cn=Account Policy Plugin,cn=plugins,cn=config nsslapd-pluginEnabled: on cn=config,cn=Account Policy Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: config alwaysrecordlogin: true [3] Test that the plugin works with a simple or SASL/GSSAPI bind: ldapsearch -Y GSSAPI -h ldap-server -b "dc=example,dc=com" uid=testuser lastLoginTime --> should get value for lastLoginTime. you might need to run the search twice. lastLoginTime: 20110610071526Z [4] Configure the PAM Passthrough plugin dn: cn=PAM Pass Through Auth,cn=plugins,cn=config ... ... pamMissingSuffix: ALLOW pamExcludeSuffix: cn=config pamExcludeSuffix: o=NetscapeRoot pamIDMapMethod: ENTRY pamIDAttr: uid pamFallback: TRUE pamSecure: TRUE pamService: ldapserver pamIncludeSuffix: dc=example,dc=com [5] Rerun the search and make sure the lastLoginTIme is still be updated [6] Then run a search that uses PAM: ldapsearch -x -H ldap://ldap-server -b "dc=example,dc=com" -D "uid=testuser,ou=users,dc=example,dc=com" -w password uid=testuser lastLoginTime [7] Verify that lastLoginTime is updated
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: do a ldap bind going through the PAM plugin Consequence: postop plugins are not called Fix: make sure that the post op plugins are called Result: post op plugins should still be called. Like "Account Usability and "lastLoginTime"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0813.html