pam_ldap accepting blank passwords
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
pam_ldap accepting blank passwords
- From: "Lee, Raymond" <Raymond.Lee [at] qwest.com>
- To: "'nss-pam-ldapd-users [at] lists.arthurdejong.org'" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: pam_ldap accepting blank passwords
- Date: Fri, 10 Jun 2011 09:50:07 -0500
Hi,
Anyone out there running tac_plus on Ubuntu with pam_ldap? I installed
libnss-ldapd, libpam-ldapd, nscd, and nslcd on Ubuntu 10.04.
Things seem to be working OK for the most part:
- I can authenticate against our LDAP server when I give a valid LDAP username
and password.
- I get denied access as expected if I give a valid LDAP username but a bad
password.
- I get denied access as expected if I give an invalid LDAP username.
However, if I give a valid LDAP username and a blank password, it lets me in --
not good! Seems like the LDAP server is accepting this as an anonymous bind.
I don't manage the LDAP server, so I can't configure it to reject anonymous
binds.
My /etc/pam.d/tac_plus looks like this:
auth required pam_ldap.so
account required pam_ldap.so
My /etc/nslcd.conf looks like this:
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldaps://10.1.2.3:1636 ldaps://10.2.3.4:1636
# The search base that will be used for all queries.
base ou=People,dc=mnet,dc=qintra,dc=com
filter passwd (objectclass=mnetperson)
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn uid=proxyuser,ou=people,dc=mnet,dc=qintra,dc=com
bindpw <hidden>
# SSL options
#ssl off
tls_reqcert never
# The search scope.
#scope sub
When I run 'nslcd -d' for debugging and try to authenticate with a blank
password, I see this:
nslcd: [e87ccd] DEBUG: connection from pid=18477 uid=0 gid=0
nslcd: [e87ccd] DEBUG: nslcd_pam_authc("leeraym","","tac_plus","")
nslcd: [e87ccd] DEBUG: myldap_search(base="ou=People,dc=mnet,dc=qintra,dc=com",
filter="(&(objectclass=mnetperson)(uid=leeraym))")
nslcd: [e87ccd] ldap_result() failed: Can't contact LDAP server
nslcd: [e87ccd] DEBUG: ldap_abandon()
nslcd: [e87ccd] DEBUG: ldap_unbind()
nslcd: [e87ccd] DEBUG: myldap_get_entry(): retry search
nslcd: [e87ccd] DEBUG: ldap_initialize(ldaps://10.1.2.3:1636)
nslcd: [e87ccd] DEBUG: ldap_set_rebind_proc()
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [e87ccd] DEBUG:
ldap_simple_bind_s("uid=proxyuser,ou=people,dc=mnet,dc=qintra,dc=com","*****")
(uri="ldaps://10.1.2.3:1636")
nslcd: [e87ccd] connected to LDAP server ldaps://10.1.2.3:1636
nslcd: [e87ccd] DEBUG: ldap_initialize(ldaps://10.1.2.3:1636)
nslcd: [e87ccd] DEBUG: ldap_set_rebind_proc()
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [e87ccd] DEBUG:
ldap_simple_bind_s("uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com",empty)
(uri="ldaps://10.1.2.3:1636")
nslcd: [e87ccd] connected to LDAP server ldaps://10.1.5.7:1636
nslcd: [e87ccd] DEBUG:
myldap_search(base="uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com",
filter="(objectclass=mnetperson)")
nslcd: [e87ccd] DEBUG: ldap_result(): end of results
nslcd: [e87ccd] DEBUG: ldap_unbind()
nslcd: [1b58ba] DEBUG: connection from pid=18477 uid=0 gid=0
nslcd: [1b58ba] DEBUG:
nslcd_pam_authz("leeraym","uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com","tac_plus","","","")
The last few lines of the debug look slightly different when I login using a
valid username and password:
<snip>
nslcd: [7ed7ab] DEBUG:
ldap_simple_bind_s("uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com","*****")
(uri="ldaps://10.1.2.3:1636")
nslcd: [7ed7ab] connected to LDAP server ldaps://10.1.2.3:1636
nslcd: [7ed7ab] DEBUG:
myldap_search(base="uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com",
filter="(objectclass=mnetperson)")
nslcd: [7ed7ab] DEBUG: ldap_unbind()
nslcd: [b141f2] DEBUG: connection from pid=18484 uid=0 gid=0
nslcd: [b141f2] DEBUG:
nslcd_pam_authz("leeraym","uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com","tac_plus","","","")
Has anyone run into this behavior before? Maybe I could resolve this if I had
something above pam_ldap in my PAM stack that would check to make sure the
password isn't blank?
Thanks,
Ray
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
- pam_ldap accepting blank passwords,
Lee, Raymond
