Re: nslcd: passwords in clear text even if TLS is configured

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: Andrea Sighinolfi <andrea.sighinolfi [at] sitti.it>, nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: nslcd: passwords in clear text even if TLS is configured
Date: Tue, 08 Mar 2022 00:38:02 +0100

On Mon, 2022-03-07 at 12:04 +0100, Andrea Sighinolfi wrote:
>  nslcd: [7b23c6] DEBUG: connection from  pid=1686 uid=0 gid=0
>  nslcd: [7b23c6] <passwd="test"> DEBUG: 
> myldap_search(base="dc=labsecurity,dc=local", 
> filter="(&(objectClass=posixAccount)(uid=test))")
>  nslcd: [7b23c6] <passwd="test"> DEBUG: 
> ldap_initialize(ldap://nodo-1.labsecurity.local)
>  nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_rebind_proc()
>  nslcd: [7b23c6] <passwd="test"> DEBUG: 
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
>  nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
>  nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
>  nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
>  nslcd: [7b23c6] <passwd="test"> DEBUG: 
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
>  nslcd: [7b23c6] <passwd="test"> DEBUG: 
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
>  nslcd: [7b23c6] <passwd="test"> DEBUG: 
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
>  nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_start_tls_s()
>  nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_simple_bind_s(NULL,NULL) 
> (uri="ldap://nodo-1.labsecurity.local";)

The normal search connection at least seems to do the call that
initiates STARTTLS.

Your debug output does not show any authc calls (but the other calls
that are typical for an authentication are present). Are you sure the
PAM module of nss-pam-ldapd is used for authentication? Depending on
your OS you could have an older pam_ldap module installed. On Debian
and Ubuntu you want libpam-ldapd and not libpam-ldap.

If you want to stick with pam_ldap the configuration file it generally
uses is /etc/pam_ldap.conf (or something similar) and taking defaults
from /etc/ldap.conf.

>  nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_result(): 
> uid=test,cn=users,cn=compat,dc=labsecurity,dc=local
>  nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_result(): 
> uid=test,cn=users,cn=accounts,dc=labsecurity,dc=local
>  nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_result(): end of results (2 
> total)

This is also interesting. Your LDAP server has two test users. While
this should work in most cases this could cause some confusion (e.g. in
returned attributes for the user or for group membership).

Hope this helps,
> 

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

nslcd: passwords in clear text even if TLS is configured, Andrea Sighinolfi
- Re: nslcd: passwords in clear text even if TLS is configured, Arthur de Jong
  - Re: nslcd: passwords in clear text even if TLS is configured, Andrea Sighinolfi
    - Re: nslcd: passwords in clear text even if TLS is configured, Andrea Sighinolfi
      - Re: nslcd: passwords in clear text even if TLS is configured, Arthur de Jong

Prev by Date: Re: nslcd: passwords in clear text even if TLS is configured
Next by Date: Re: nslcd: passwords in clear text even if TLS is configured
Previous by thread: Re: nslcd: passwords in clear text even if TLS is configured
Next by thread: Re: nslcd: passwords in clear text even if TLS is configured