Paul Engle
2006-May-25 14:17 UTC
[Fedora-directory-users] Securing the Pam Passthru plugin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I''ve installed and configured the pam passthru plugin so that we can do simple binds without having to store passwords in the directory. It''s working, but I can''t seem to get the pamSecure attribute to take effect. My entry in dse.ldif for the plugin is: dn: cn=PAM Pass Through Auth,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: pamConfig cn: PAM Pass Through Auth nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so nsslapd-pluginInitfunc: pam_passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginloadglobal: true nsslapd-plugin-depends-on-type: database pamMissingSuffix: ALLOW pamExcludeSuffix: o=NetscapeRoot pamExcludeSuffix: cn=config pamMapMethod: RDN pamFallback: FALSE pamSecure: TRUE pamService: ldapserver nsslapd-pluginId: pam_passthruauth nsslapd-pluginVersion: 1.0.2 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: PAM pass through authentication plugin That''s pretty much a cut & paste from the README that comes with the plugin source. Docs are sketchy, but I thought that pamSecure was supposed to prevent a non-SSL connection from being able to do the passthru bind? Even though I have it set to true, I can bind to port 389 of my server with no error. Obviously, that''s not acceptable. Am I misunderstanding the purpose of this attribute? If so, is there any other way to enforce TLS for simple binds? Also, is there any plan to include this plugin in the default build of FDS? It''s included with the source, but it''s commented out of the Makefile, at least for version 1.0.2. Thanks, -paul - -- Paul D. Engle | Rice University Sr. Systems Administrator | Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 pengle@rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFEdbxkCpkISWtyHNsRApDyAKDoSSB0omRek5XhAdbsBJJ+ioP8DgCfWRsG LClbobetOFgcM/U8gBFoOyQ=tgjh -----END PGP SIGNATURE-----
Richard Megginson
2006-May-25 14:34 UTC
Re: [Fedora-directory-users] Securing the Pam Passthru plugin
Paul Engle wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hello all, > > I''ve installed and configured the pam passthru plugin so that we can do > simple binds without having to store passwords in the directory. It''s > working, but I can''t seem to get the pamSecure attribute to take effect. My > entry in dse.ldif for the plugin is: > > dn: cn=PAM Pass Through Auth,cn=plugins,cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > objectClass: pamConfig > cn: PAM Pass Through Auth > nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so > nsslapd-pluginInitfunc: pam_passthruauth_init > nsslapd-pluginType: preoperation > nsslapd-pluginEnabled: on > nsslapd-pluginloadglobal: true > nsslapd-plugin-depends-on-type: database > pamMissingSuffix: ALLOW > pamExcludeSuffix: o=NetscapeRoot > pamExcludeSuffix: cn=config > pamMapMethod: RDN > pamFallback: FALSE > pamSecure: TRUE >Looks like these two fields are not expecting a boolean value, rather an integer value. So, use 1 instead of TRUE and 0 instead of FALSE.> pamService: ldapserver > nsslapd-pluginId: pam_passthruauth > nsslapd-pluginVersion: 1.0.2 > nsslapd-pluginVendor: Fedora Project > nsslapd-pluginDescription: PAM pass through authentication plugin > > That''s pretty much a cut & paste from the README that comes with the plugin > source. Docs are sketchy, but I thought that pamSecure was supposed to > prevent a non-SSL connection from being able to do the passthru bind? Even > though I have it set to true, I can bind to port 389 of my server with no > error. Obviously, that''s not acceptable. Am I misunderstanding the purpose > of this attribute? If so, is there any other way to enforce TLS for simple > binds? > > Also, is there any plan to include this plugin in the default build of FDS? > It''s included with the source, but it''s commented out of the Makefile, at > least for version 1.0.2. >No plans yet. We''re still trying to evaluate the general usefulness of it as well as its testability.> Thanks, > -paul > > - -- > Paul D. Engle | Rice University > Sr. Systems Administrator | Information Technology - MS119 > (713) 348-4702 | P.O. Box 1892 > pengle@rice.edu | Houston, TX 77251-1892 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFEdbxkCpkISWtyHNsRApDyAKDoSSB0omRek5XhAdbsBJJ+ioP8DgCfWRsG > LClbobetOFgcM/U8gBFoOyQ> =tgjh > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Paul Engle
2006-May-25 14:39 UTC
Re: [Fedora-directory-users] Securing the Pam Passthru plugin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Thursday, May 25, 2006 08:34:08 AM -0600 Richard Megginson <rmeggins@redhat.com> wrote:>> pamFallback: FALSE >> pamSecure: TRUE >> > Looks like these two fields are not expecting a boolean value, rather an > integer value. So, use 1 instead of TRUE and 0 instead of FALSE.Excellent! That works like a charm. I think we''re about ready to go production with this baby. Thanks! -paul - -- Paul D. Engle | Rice University Sr. Systems Administrator | Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 pengle@rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFEdcGHCpkISWtyHNsRAnzgAKD5EAfTvOVkvoAEWxkrqwss51m8MQCg6iR1 J1wJK7GboYJlkSaDOUoQ58M=Ezcn -----END PGP SIGNATURE-----
Richard Megginson
2006-May-25 14:43 UTC
Re: [Fedora-directory-users] Securing the Pam Passthru plugin
Paul Engle wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > - --On Thursday, May 25, 2006 08:34:08 AM -0600 Richard Megginson > <rmeggins@redhat.com> wrote: > > > >>> pamFallback: FALSE >>> pamSecure: TRUE >>> >>> >> Looks like these two fields are not expecting a boolean value, rather an >> integer value. So, use 1 instead of TRUE and 0 instead of FALSE. >> > > Excellent! That works like a charm. I think we''re about ready to go > production with this baby. >Please let us know how it works, what problems there are, enhancement requests. This will help us to determine if it should be enabled by default (or at least built/packaged). BTW, I fixed the problem you reported - if you grab the latest version of ldapserver/ldap/servers/plugins/pam_passthru/pam_ptconfig.c from CVS you will be able to use boolean values (e.g. true, yes, on) instead of just 0 and 1.> Thanks! > -paul > > - -- > Paul D. Engle | Rice University > Sr. Systems Administrator | Information Technology - MS119 > (713) 348-4702 | P.O. Box 1892 > pengle@rice.edu | Houston, TX 77251-1892 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFEdcGHCpkISWtyHNsRAnzgAKD5EAfTvOVkvoAEWxkrqwss51m8MQCg6iR1 > J1wJK7GboYJlkSaDOUoQ58M> =Ezcn > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >