Re: [nssldap] Question about getspnam/getpwnam and ldap

[Buchan Milne <bgmilne [at] mandriva.org>]

On Wednesday 09 January 2008 15:03:07 Markus Moeller wrote:
> Hi,
>
>  I am looking into replacing NIS with LDAP and came to a point where I
> still need to support getspnam/getpwnam for password checks as I have
> legacy applications which can not be changed.
>
> The question I have is how rfc 2307 is and should be enforced as I noticed
> differences between Linux and Solaris.  The rfc says:
>
>    userPassword values which do not adhere to this syntax MUST NOT be
>    used for authentication. The DUA MUST iterate through the values of
>    the attribute until a value matching the above syntax is found. Only
>    if encryptedpassword is an empty string does the user have no
>    password. DUAs are not required to consider encryption schemes which
>    the client will not recognize; in most cases, it may be sufficient to
>    consider only "crypt".
>
>
> Firstly does/should getspnam enforce "userPassword values which do not
> adhere to this syntax MUST NOT be used for authentication" by rejecting
> userpassword entries which don't follow rfc 2307 or is it up to the
> application since the rfc states "DUAs are not required to consider
> encryption schemes which  the client will not recognize; in most cases, it
> may be sufficient to  consider only "crypt"." too (assuming getspnam in
> nss_ldap is the DUA) ?  Solaris seems to enforce it in getspnam whereas
> Linux doesn't.

Can you be more specific ? Do you mean you are using something besides clear 
(no encryption scheme identifier) or crypt, and seeing the password hash ?

I tested with just {ssha}, and 'getent shadow bgmilne' did not show a hash:

[root@tiger ~]# getent shadow bgmilne
bgmilne:*:12920::99999:7:::0

I added a {crypt} password (so I have both {ssha} and {crypt}), and 
then 'getent shadow bgmilne' showed just the {crypt} hash in place of the *. 
I did not test clear text passwords (with no identifier).

> Also Windows 2003 R2 uses unixuserpassword (this entry can 
> be synchronised with the Kerberos password in AD and is therefore
> preferred) which does not follow rfc2307 as it contains the hash without
> {crypt}.

Maybe they expect you to type the hash :-P.

> The rfc states also:
>
>   A DUA MAY utilise the attributes in the shadowAccount class to
>    provide shadow password service (getspnam() and getspent()). In such
>    cases, the DUA MUST NOT make use of the userPassword attribute for
>    getpwnam() et al, and MUST return a non-matchable password (such as
>    "x") to the client instead.
>
> I noticed on Linux that provides the user with both the userpassword in
> getpwnam and in getspnam.

I tested as follows:

$ perl -e 'my @foo = getpwnam("bgmilne");print "$foo[1]\n";'

and I get the password hash if the proxyuser (binddn in nss_ldap's ldap.conf) 
has read access to userPassword (which usually isn't required or desirable). 
Otherwise, I get:

[bgmilne@tiger ~]$ perl -e 'my @foo = getpwnam("bgmilne");print "$foo[1]\n";'
*

If under these conditions, the rootbinddn has read access to userPassword, 
root will still get the hash via getpwnam. I haven't tested with getspnam, as 
there is no perl builtin ... 

> Is that against RFC 2307 ? Does this mean a 
> getpwnam call need internally do a getspnam call to check if a password is
> provided before returning to the application ?

Please provide more information on how you arrive at your conclusions 
(including your configuration - at least what the DNs you use for binddn and 
rootbinddn have read access to).

In the typical configuration, where the proxy user does not have read access 
to userPassword, it seems nss_ldap under Linux behaves (mostly) correctly.

Regards,
Buchan