lists.arthurdejong.org
RSS feed

Re: nslcd: passwords in clear text even if TLS is configured

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd: passwords in clear text even if TLS is configured

Hi Arthur,

I think I understood the cause of the problem. I was using a pam_ldap module I cross compiled from the pam-ldap "stand-alone" project, and not the pam_ldap that comes from the nslcd project. I assumed they were the same, but I suppose they are not, because with the pam_ldap.so module from nslcd project those simple binds with password in clear text are not present anymore, and the start tls operation seems to work as expected. Thanks.

Andrea.

Il 08/03/2022 00:38, Arthur de Jong ha scritto:
On Mon, 2022-03-07 at 12:04 +0100, Andrea Sighinolfi wrote:

 nslcd: [7b23c6] DEBUG: connection from  pid=1686 uid=0 gid=0
 nslcd: [7b23c6] <passwd="test"> DEBUG: myldap_search(base="dc=labsecurity,dc=local", filter="(&(objectClass=posixAccount)(uid=test))")
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_initialize(ldap://nodo-1.labsecurity.local)
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_rebind_proc()
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_start_tls_s()
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://nodo-1.labsecurity.local")

The normal search connection at least seems to do the call that
initiates STARTTLS.

Your debug output does not show any authc calls (but the other calls
that are typical for an authentication are present). Are you sure the
PAM module of nss-pam-ldapd is used for authentication? Depending on
your OS you could have an older pam_ldap module installed. On Debian
and Ubuntu you want libpam-ldapd and not libpam-ldap.

If you want to stick with pam_ldap the configuration file it generally
uses is /etc/pam_ldap.conf (or something similar) and taking defaults
from /etc/ldap.conf.


 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_result(): uid=test,cn=users,cn=compat,dc=labsecurity,dc=local
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_result(): uid=test,cn=users,cn=accounts,dc=labsecurity,dc=local
 nslcd: [7b23c6] <passwd="test"> DEBUG: ldap_result(): end of results (2 total)

This is also interesting. Your LDAP server has two test users. While
this should work in most cases this could cause some confusion (e.g. in
returned attributes for the user or for group membership).

Hope this helps,


      

      

    

    
-- 

      
      
      
 Ing. Andrea Sighinolfi
        

      

      
R&D 

      


        SITTI
                                S.p.A.

                                Via Cadorna, 73

                                20055 Vimodrone (MI) - ITALY

      

      
 

      
 Phone +39.02.2507121

                Mobile +39.xxxxxxxxx 

      
        
Email:  andrea.sighinolfi [at] sitti.it

                      Website: www.sitti.it
                    

                        

      
      
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

      

      
 IT: Questo messaggio viene inviato in
                osservanza al Reg. UE 2016/679. Le ricordiamo che in
                qualunque momento potrà esercitare i diritti ivi
                previsti, tra i quali il diritto di conoscere e/o
                accedere ai dati personali, chiederne la rettifica e
                l’aggiornamento, chiederne la cancellazione qualora la
                raccolta sia avvenuta in violazione di legge o
                regolamento, nonché il diritto di opporsi al trattamento
                per motivi legittimi e specifici. Potrà inoltre chiedere
                la trasformazione in forma anonima dei dati personali ed
                il blocco dell’uso degli stessi ai fini di invio di
                materiale pubblicitario o vendita diretta o per il
                compimento di ricerche di mercato o comunicazione
                commerciale. Per esercitare tali diritti, contattare il
                titolare del trattamento dei dati: S.I.T.T.I. SpA - Via
                Cadorna 73 - 20090 Vimodrone (MI) - tel.022507121 -
                email sitti [at] sitti.it EN: This message is sent in
                compliance with EU Reg. 2016/679. We remind you that at
                any time you can exercise your rights therein, including
                the right to know and/or access personal data, to
                request their rectification and updating, to request
                their cancellation if the collection occurred in
                violation of the law or regulation , as well as the
                right to oppose the processing for legitimate and
                specific reasons. You may also request the
                transformation of personal data into anonymous form and
                the blocking of sending advertising material or direct
                sales or for carrying out market research or commercial
                communication. To exercise these rights, contact
                S.I.T.T.I. SpA - Via Cadorna 73 - 20090 Vimodrone (MI) -
                tel.022507121 - email sitti [at] sitti.it 

      
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------