Re: Support for pam_ldap configuration

[Ted Cheng <tedcheng [at] symas.com>]

On Jul 10, 2012, at 2:47 PM, Arthur de Jong wrote:

> On Mon, 2012-07-09 at 18:22 -0700, Ted Cheng wrote:
>> Not sure why we would need "nopasswd", "userpasswd", and "rootpasswd"
>> config.
>> 
>> The kind of (old) password required for changing password depends on
>> client-side (who initiates the password change) and on server-side
>> (admin/pwdmgr dn & admin/pwdmgr pwd) configurations, not just
>> server-side configuration:
> 
> The problem is that only the server side can decide whether the change
> is allowed. You cannot leave this up to the client side because any
> process on the system can make nslcd requests (also unprivileged ones).

The pam_ldap library does make different preliminary checks based on whether 
uid==0,
and on whether (myuid == pwdent->pw_uid), as you described below.
The result can be returned by nslcd_request_authc(), based on
rootpwmoddn & rootpwmodpw configuration on the server side.

The additional "nopasswd",  "userpasswd", and "rootpasswd" configuration
parameters seem to be redundant.

See explanation below.

> 
> If running as root changing someone else's password, the current PAM
> module tries to authenticate with an empty username and password first
> (to see whether both rootpwmoddn and rootpwmodpw are set),

If both rootpwmoddn and rootpwmodpw are configured on the server side,
both will be used to authenticate to the remote directory. That is, no
"rootpasswd" parameter is needed. Simply the auth result will be returned.

> then prompt
> for the administrator password and try with an empty username and the
> supplied password.

In this case, rootpwmoddn and the supplied admin password will be used
to authenticate to the remote directory. The auth result will be returned.
No additional config parameter is needed. 

> In normal cases the user's old password is prompted
> for. This is a bit of a hack in the authentication call.

In this case, the supplied user dn and pwd will be used to authenticate to 
the remote directory. The auth result will be returned. No additional
config parameter is needed.

> 
> Another option would be to query the server for the rootpwmoddn and
> rootpwmodpw options but that would unnecessarily expose information to a
> process that doesn't really need this information.

There is no need to query rootpwmoddn. If the preliminary check is successful
using rootpwmoddn, rootpwmoddn will be returned as part of the auth result, 
which
can be used for further pam pwmod call.

> 
>> The ppolicy configuration should probably be supported/tested as well.
> 
> Can you provide some info for that? How should that work? I thought this
> was only used when doing authentication and was used to provide the
> authorisation part in the authentication response.

Please find attached pam.c from nssov distribution. The pam_bindcb() routine
handles ppolicy control.

Cheers,

Ted C. Cheng
Symas Corporation

Attachment: pam.c
Description: Binary data

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/