RE: pam_ldap accepting blank passwords

[Date Prev][Date Next] [Thread Prev][Thread Next]
From: "Lee, Raymond" <Raymond.Lee [at] qwest.com>
To: "Lee, Raymond" <Raymond.Lee [at] qwest.com>, "'nss-pam-ldapd-users [at] lists.arthurdejong.org'" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: RE: pam_ldap accepting blank passwords
Date: Fri, 10 Jun 2011 15:31:09 -0500
Many thanks to Greg Newton for this solution:

<quote>
Hi Raymond,
I had this very problem on Maverick. The version of nslcd in the repos
has a bug that allows this behaviour. Later versions (I think the
problem got sorted in 0.7.8ish) sort out the problem. I now pull nslcd
from launchpad (currently v0.7.13):
https://launchpad.net/ubuntu/+source/nss-pam-ldapd/

I've done this in our small lab and had no issues whatsoever.
Cheers,
Greg
</quote>


> -----Original Message-----
> From: Lee, Raymond
> Sent: Friday, June 10, 2011 10:50 AM
> To: 'nss-pam-ldapd-users@lists.arthurdejong.org'
> Subject: pam_ldap accepting blank passwords
>
> Hi,
>
> Anyone out there running tac_plus on Ubuntu with pam_ldap?  I installed
> libnss-ldapd, libpam-ldapd, nscd, and nslcd on Ubuntu 10.04.
>
> Things seem to be working OK for the most part:
> - I can authenticate against our LDAP server when I give a valid LDAP
> username and password.
> - I get denied access as expected if I give a valid LDAP username but a
> bad password.
> - I get denied access as expected if I give an invalid LDAP username.
>
> However, if I give a valid LDAP username and a blank password, it lets
> me in -- not good!  Seems like the LDAP server is accepting this as an
> anonymous bind.  I don't manage the LDAP server, so I can't configure
> it to reject anonymous binds.
>
>
> My /etc/pam.d/tac_plus looks like this:
>
>       auth    required        pam_ldap.so
>       account required        pam_ldap.so
>
>
>
> My /etc/nslcd.conf looks like this:
>
>       # /etc/nslcd.conf
>       # nslcd configuration file. See nslcd.conf(5)
>       # for details.
>
>       # The user and group nslcd should run as.
>       uid nslcd
>       gid nslcd
>
>       # The location at which the LDAP server(s) should be reachable.
>       uri ldaps://10.1.2.3:1636 ldaps://10.2.3.4:1636
>
>       # The search base that will be used for all queries.
>       base ou=People,dc=mnet,dc=qintra,dc=com
>
>       filter passwd (objectclass=mnetperson)
>
>       # The LDAP protocol version to use.
>       #ldap_version 3
>
>       # The DN to bind with for normal lookups.
>       binddn uid=proxyuser,ou=people,dc=mnet,dc=qintra,dc=com
>       bindpw <hidden>
>
>       # SSL options
>       #ssl off
>       tls_reqcert never
>
>       # The search scope.
>       #scope sub
>
>
>
> When I run 'nslcd -d' for debugging and try to authenticate with a
> blank password, I see this:
>
>
> nslcd: [e87ccd] DEBUG: connection from pid=18477 uid=0 gid=0
> nslcd: [e87ccd] DEBUG: nslcd_pam_authc("leeraym","","tac_plus","")
> nslcd: [e87ccd] DEBUG:
> myldap_search(base="ou=People,dc=mnet,dc=qintra,dc=com",
> filter="(&(objectclass=mnetperson)(uid=leeraym))")
> nslcd: [e87ccd] ldap_result() failed: Can't contact LDAP server
> nslcd: [e87ccd] DEBUG: ldap_abandon()
> nslcd: [e87ccd] DEBUG: ldap_unbind()
> nslcd: [e87ccd] DEBUG: myldap_get_entry(): retry search
> nslcd: [e87ccd] DEBUG: ldap_initialize(ldaps://10.1.2.3:1636)
> nslcd: [e87ccd] DEBUG: ldap_set_rebind_proc()
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [e87ccd] DEBUG:
> ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
> nslcd: [e87ccd] DEBUG:
> ldap_simple_bind_s("uid=proxyuser,ou=people,dc=mnet,dc=qintra,dc=com","
> *****") (uri="ldaps://10.1.2.3:1636")
> nslcd: [e87ccd] connected to LDAP server ldaps://10.1.2.3:1636
> nslcd: [e87ccd] DEBUG: ldap_initialize(ldaps://10.1.2.3:1636)
> nslcd: [e87ccd] DEBUG: ldap_set_rebind_proc()
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [e87ccd] DEBUG:
> ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
> nslcd: [e87ccd] DEBUG:
> ldap_simple_bind_s("uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com",emp
> ty) (uri="ldaps://10.1.2.3:1636")
> nslcd: [e87ccd] connected to LDAP server ldaps://10.1.5.7:1636
> nslcd: [e87ccd] DEBUG:
> myldap_search(base="uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com",
> filter="(objectclass=mnetperson)")
> nslcd: [e87ccd] DEBUG: ldap_result(): end of results
> nslcd: [e87ccd] DEBUG: ldap_unbind()
> nslcd: [1b58ba] DEBUG: connection from pid=18477 uid=0 gid=0
> nslcd: [1b58ba] DEBUG:
> nslcd_pam_authz("leeraym","uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=c
> om","tac_plus","","","")
>
>
>
> The last few lines of the debug look slightly different when I login
> using a valid username and password:
>
> <snip>
> nslcd: [7ed7ab] DEBUG:
> ldap_simple_bind_s("uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com","**
> ***") (uri="ldaps://10.1.2.3:1636")
> nslcd: [7ed7ab] connected to LDAP server ldaps://10.1.2.3:1636
> nslcd: [7ed7ab] DEBUG:
> myldap_search(base="uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com",
> filter="(objectclass=mnetperson)")
> nslcd: [7ed7ab] DEBUG: ldap_unbind()
> nslcd: [b141f2] DEBUG: connection from pid=18484 uid=0 gid=0
> nslcd: [b141f2] DEBUG:
> nslcd_pam_authz("leeraym","uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=c
> om","tac_plus","","","")
>
>
>
> Has anyone run into this behavior before?  Maybe I could resolve this
> if I had something above pam_ldap in my PAM stack that would check to
> make sure the password isn't blank?
>
> Thanks,
> Ray

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
pam_ldap accepting blank passwords, Lee, Raymond
- RE: pam_ldap accepting blank passwords, Lee, Raymond
Prev by Date: pam_ldap accepting blank passwords
Next by Date: account lockout PAM module for LDAP
Previous by thread: pam_ldap accepting blank passwords
Next by thread: account lockout PAM module for LDAP