lists.arthurdejong.org
RSS feed

Re: Support for pam_ldap configuration

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Support for pam_ldap configuration



On Jul 11, 2012, at 2:10 PM, Arthur de Jong wrote:

> On Tue, 2012-07-10 at 18:01 -0700, Ted Cheng wrote:
>> If both rootpwmoddn and rootpwmodpw are configured on the server side,
>> both will be used to authenticate to the remote directory. That is, no
>> "rootpasswd" parameter is needed. Simply the auth result will be
>> returned.
> 
> If the password change is run as root the PAM module doesn't know
> whether the server has either options set so first tries to do a ""+""
> authentication, then prompts for the administrator password and does a
> ""+passwd authentication.
> 

nssov implemented the following in response to the calls from pam_ldap:

If rootpwmoddn and rootpwmodpw are configured on the server side:

pam_ldap, "" (NULL) + "" (NULL)  ==> nssov binds to ldap server with 
rootpwmoddn + rootpwmodpw
return rootpwmoddn to pam_ldap if bind success

if only rootpwmoddn is configured, but not rootpwmodpw on the server side:

pam_ldap, "" (NULL) + admin pwd  ==> nssov binds to ldap server with 
rootpwmoddn + admin pwd
return rootpwmoddn to pam_ldap, if bind success 

pam_ldap, user dn + user pwd  ==> nssov bind to ldap server with user dn + user 
pwd
return userdn to pam_ldap, if bind success
 
pam_ldap does not need to guess at all.

> The extra NSLCD_CONFIG_PAM_ROOTPWMOD protocol parameter that can be
> derived from the rootpwmoddn and rootpwmodpw nslcd.conf configuration
> options and the caller's uid and be provided to the PAM module so it
> wouldn't need to do this guessing.
> 
> This would mean that the first ugly hack (""+"") is no longer necessary.
> The second one would still be needed to see if the supplied password is
> correct. The extra information could also allow the PAM module to prompt
> for the old password of the user that is being changed.

Need more information on how this should be implemented.

> 
>> Please find attached pam.c from nssov distribution. The pam_bindcb() routine
>> handles ppolicy control.
> 
> Thanks. I'm currently using ldap_simple_bind_s() for user
> authentication.
> 
> Also looking at pam_ldap.c it seems I have to switch to the asynchronous
> ldap_sasl_bind() to request password policy and be able to get the
> password policy response controls. Requesting seems possible with
> ldap_sasl_bind_s() but I can't work out how to get the response controls
> with that function.
> 


I have attached common.c from openldap client code. Hopefully it helps.

Cheers,

Ted C. Cheng
Symas Corporation

Attachment: common.c
Description: Binary data

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/