Re: non-local (LDAP) users can log in without auth???

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: non-local (LDAP) users can log in without auth???
Date: Wed, 16 Feb 2011 20:34:39 +0100

On Tue, 2011-02-15 at 15:20 -0800, Greg Newton wrote: 
> I've been working on getting an Ubuntu 10.10 (Maverick) lab up and 
> running, using the stock versions found in the repos (e.g. nslcd 
> v.0.7.6) an I've run in to an interesting problem: ldap users can get a 
> session on the machine without a password. That is, if a user exists in 
> LDAP they can log in to the machine by hitting the return key when asked 
> for a password; this does not work for local users, nor can you make up 
> an ID and expect it to work. BTW, if you give it a wrong password, you 
> can't get a session (as in you get a failed LDAP authentication message).

There seem to be some LDAP servers that silently fall back to anonymous
bind when logging in without a password. For this purpose in release
0.7.7 the nullok PAM option was introduced.

It may be a good idea to raise an issue in Ubuntu for this and try to
get this fixed there. Attached is a patch against 0.7.6 for the relevant
changes that landed in 0.7.7.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

Attachment: nss-pam-ldapd-implement-nullok-option.patch
Description: Text Data

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

non-local (LDAP) users can log in without auth???, Greg Newton
- Re: non-local (LDAP) users can log in without auth???, Arthur de Jong

Prev by Date: Map limit to map base option
Next by Date: Re: Dealing with disabled/expired user account authentication
Previous by thread: non-local (LDAP) users can log in without auth???
Next by thread: Re: non-local (LDAP) users can log in without auth???