RSS feed

Re: Question about passing messages back from LDAP

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Question about passing messages back from LDAP

On Wed, 2011-05-04 at 10:12 -0400, Ryan Steele wrote:
> I know that historically, nss-pam-ldapd has not supported sending
> ppolicy controls (pam_lookup_policy option in PADL's implementation),
> as we discussed last year:
> I was wondering if maybe that had changed at all since we last spoke?
> If not, would you be willing to elaborate on what changes need to be
> made to the current codebase to support passing the controls and
> parsing the results?  Thanks for all the great work on the project, we
> have found it to be quite useful in our environment.

I'm afraid nothing has changed yet. I've been thinking about
implementing it but haven't gotten around to it yet and don't know it I
will in the coming time.

The current PAM authentication check does the following:
- set up a new connection (session)
- call myldap_set_credentials() to override the binddn and bindpw from
  the configuration and force a simple bind (not SASL)
- a search is started which forces a bind, etc
- use the result of the search to determine the result of the bind

The reason to use a search and not do just a bind is to firstly to have
the same fail-over mechanism available for binds as for searches and
secondly because we want to confirm that the bind really succeeded by
performing a normal query (note that this last part still doesn't catch
all error conditions, e.g. some LDAP servers are known to silently fall
back to an anonymous bind if an empty password is supplied).

The code that does the above is in nslcd/pam.c in the try_bind()
function. The code that does the actual bind call is in nslcd/myldap.c
in the do_bind() function. This last function needs to be updated (or
this functionality split into a separate function if convenient) to pass
the correct controls and parse the returned controls. I think code in
pam_ldap can be used as a basis for this.

If you're willing to provide patches and do some testing I'm willing to
go from there and integrate the patches. If you have any more questions,
feel free to ask.

-- arthur - - --
To unsubscribe send an email to or see