lists.arthurdejong.org
RSS feed

Re: rootpwmoddn seems not be working properly

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: rootpwmoddn seems not be working properly



On 2 November 2014 10:25, Arthur de Jong <arthur [at] arthurdejong.org> wrote: 

- first as administrator without a password (to see if nslcd has
  rootpwmoddn and rootpwmodpw set)

Isn't possible to get the parameters in the first place and make the bind with rootpwmoddn and rootpwmodpw ? If I have rootpwdmoddn and rootpwmodpw set it doesn't seem right to ask for LDAP password again.

Until someone can suggest a good search to perform after authentication
I'm afraid we're stuck with having to have the rootpwmoddn be a real
entry in LDAP.

I believe search the base with base scope is the safest search to use. From my example would be: ldapsearch -b "dc=epf-mac" -s base

# extended LDIF
#
# LDAPv3
# base <dc=epf-mac> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
# ...


Érico Fusco

On 2 November 2014 10:25, Arthur de Jong <arthur [at] arthurdejong.org> wrote:

On Sat, 2014-11-01 at 17:34 -0200, Erico Fusco wrote:
> passwd prompts "LDAP Administrator password:", but nslcd tries to bind
> without a password before typing it, if I use rootpwmodpw bind is okay
> but it still asks for LDAP admin password. The log below is when used
> without rootpwmodpw.

The PAM module will try authenticating two times when changing another
user's password. From the point of the PAM module:
- first as administrator without a password (to see if nslcd has
  rootpwmoddn and rootpwmodpw set)
- on failure prompt for a password (LDAP administrator password) and try
  as administrator with that password

This can result in two authc="" calls in nslcd (empty username is
interpreted as authenticate with rootpwmoddn and empty password is
interpreted as rootpwmodpw if the caller is root).

> After I type the password the bind is done correctly but the base used
> is "roopwdmoddn" with no proper filter, I guess it should search on
> base passwd with a correct filter (using uid for example). Maybe this
> query is related to authentication still ? My rootdn and rootpw is
> only on slapd.conf.
[...]
> nslcd: [d062c2] <authc=""> DEBUG: nslcd_pam_authc("","passwd","***")
> nslcd: [d062c2] <authc=""> DEBUG: myldap_search(base="cn=admin,dc=epf-mac", filter="(objectClass=*)")
> nslcd: [d062c2] <authc=""> DEBUG: ldap_sasl_bind("cn=admin,dc=epf-mac","***") (uri="ldaps://127.0.0.1/")
> nslcd: [d062c2] <authc=""> ldap_result() failed: No such object
> nslcd: [d062c2] <authc=""> cn=admin,dc=epf-mac: No such object

As a precaution nslcd will perform a search after the BIND to ensure
that the BIND is successful. Some LDAP servers do not return the correct
error code at BIND but the error is only found after search.

Since your rootdn does not exist in the directory, the search fails (and
as a result authentication fails).

In theory we could replace the search with any other search as long as
it returns an entry after BIND. For normal users this should be the user
object itself but for administrators some other search could be
performed. We could for example request basedn but I've also seen
directories where that does not exist (I think when using the meta
backend).

The user uid for which the password is changed is not available in the
administrator authentication request (only information in nslcd.conf and
things logged on the nslcd_pam_authc line).

Until someone can suggest a good search to perform after authentication
I'm afraid we're stuck with having to have the rootpwmoddn be a real
entry in LDAP.

Thanks,

--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org/ --

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/