Rich, Andrey¹s suggestion worked. Yes, I have enabled SSL in the Admin server and Directory Server. But it still would fall back on 389-ds password, when ³pamsecure=TRUE¹. If I set pamsecure=FALSE, the authentication passed through to the AD as intended. How do I secure the communication between 389-ds and LDAP server? I used wireshark to capture packets, and it¹s all clear.> > To revisit, here''s the observation: pamsecure when set to TRUE authenticates > users only to the password in 389-ds, but when set to FALSE will > authenticate to the AD password only if the uid exists in /etc/passwd. >That''s really bizarre - the only place where pamSecure is used is here: if (cfg->pamptconfig_secure) { /* is a secure connection required? */ int is_ssl = 0; slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl); if (!is_ssl) { slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "<= connection not secure (secure connection required; check config)"); return retcode; } } That is, if pamSecure is true, requests will be rejected unless using TLS/SSL. Do you have your directory server configured to use TLS/SSL when using pamSecure: TRUE?
Prashanth Sundaram wrote:> Rich, > > Andrey’s suggestion worked. Yes, I have enabled SSL in the Admin > server and Directory Server. But it still would fall back on 389-ds > password, when “pamsecure=TRUE’. If I set pamsecure=FALSE, the > authentication passed through to the AD as intended. > > How do I secure the communication between 389-ds and LDAP server?I''m not sure what you mean - 389-ds is the LDAP server?> I used wireshark to capture packets, and it’s all clear.man pam_ldap - you''ll have to configure /etc/ldap.conf to use TLS and provide a CA cert.> > > > > To revisit, here''s the observation: pamsecure when set to TRUE > authenticates > users only to the password in 389-ds, but when set to FALSE will > authenticate to the AD password only if the uid exists in /etc/passwd. > > That''s really bizarre - the only place where pamSecure is used is here: > if (cfg->pamptconfig_secure) { /* is a secure connection required? */ > int is_ssl = 0; > slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl); > if (!is_ssl) { > slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "<= > connection not secure (secure connection required; check config)"); > return retcode; > } > } > That is, if pamSecure is true, requests will be rejected unless using > TLS/SSL. Do you have your directory server configured to use TLS/SSL > when using pamSecure: TRUE? > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >