Re: Ineffective pam_authz_search

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Ineffective pam_authz_search
Date: Thu, 06 Feb 2014 21:20:53 +0100

On Thu, 2014-02-06 at 13:44 +0300, Ксения Юрьевна Блащук wrote:
> But still, user is available to login even if specific $hostname or
> $fqdn is not specified in his LDAP account, so it becomes a security
> issue.
> 
> nslcd -d outputs:
> nslcd: <passwd="mylogin"> DEBUG: myldap_search(base="dc=mydc,dc=mydc", 
> filter="(&(objectClass=posixAccount)(uid=mylogin))")
> 
> I don't see that myldap_search includes 'host' parameter. 

The pam_authz_search option will only be used when the PAM module of
nss-pam-ldapd is also used. The search from above is from a name lookup,
not an authentication (or authorisation) attempt.

An authentication attempt will look something like:
...
nslcd: [334873] <authc="arthur"> DEBUG: nslcd_pam_authc("arthur","su","***")
...
nslcd: [495cff] <authz="arthur"> DEBUG: 
nslcd_pam_authz("arthur","su","arthur","","/dev/pts/10")
...

Whether the option really takes affect also depends on your PAM
configuration. For example, if you make the hashed password available
through NSS (by default disabled in 0.8) pam_unix will most likely
completely bypass pam_ldap.

Also, some applications (such as SSH when using key-based
authentication) tend to bypass PAM.

Also be sure you are using nss-pam-ldpad's pam_ldap module.

Hope this helps.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Ineffective pam_authz_search, Ксения Юрьевна Блащук
- Re: Ineffective pam_authz_search, Arthur de Jong

Prev by Date: Ineffective pam_authz_search
Next by Date: min-uid
Previous by thread: Ineffective pam_authz_search
Next by thread: min-uid