[Fedora-directory-commits] ldapserver/ldap/servers/plugins/pam_passthru README, 1.5, 1.6 pam_ptconfig.c, 1.8, 1.9 pam_ptpreop.c, 1.6, 1.7
Richard Allen Megginson (rmeggins)
fedora-directory-commits at redhat.com
Thu Mar 15 18:21:40 UTC 2007
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26089/ldapserver/ldap/servers/plugins/pam_passthru
Modified Files:
README pam_ptconfig.c pam_ptpreop.c
Log Message:
Resolves: bug 232377
Bug Description: PAM passthru ENTRY method not working
Reviewed by: prowley (Thanks!)
Fix Description: There are several problems.
1) For the ENTRY method to perform the internal search to get the entry for the bind DN, it must have a component ID (aka plugin identity). The code was already there to get/set it, but it was never initialized in the init function.
2) You cannot mix slapi_sdn_new* with slapi_sdn_init* - slapi_sdn_init will erase the knowledge that the Slapi_DN was allocated with malloc and it will not free it in slapi_sdn_free().
3) People may assume they can specify a subtree (e.g. ou=people,dc=example,dc=com) instead of a suffix for the list of included/excluded suffixes. The error message will not print a list of valid suffixes for the admin to use.
4) slapi_be_exist was failing because the database does not notify the mapping tree code that the backend is started during startup. This works fine under normal conditions because most all of the code in mapping_tree.c will lookup the backend if the mtn_be pointer in the mapping tree node is NULL. However, slapi_be_exist and slapi_be_select do not do this. The proper solution is to call slapi_mtn_be_started() at database startup time. This is the same thing that happens when a backend is added at runtime.
Platforms tested: FC6
Flag Day: no
Doc impact: no
Index: README
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/README,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- README 15 Sep 2006 21:20:36 -0000 1.5
+++ README 15 Mar 2007 18:21:37 -0000 1.6
@@ -155,7 +155,9 @@
pam_acct_mgmt() somewhere during the pam handshakes and before
pam_end() to get this information. We also try to return an
appropriate LDAP error code.
+
PAM Error Code LDAP Error Code Meaning
+============== =============== =======
PAM_USER_UNKNOWN LDAP_NO_SUCH_OBJECT User ID does not exist
PAM_AUTH_ERROR LDAP_INVALID_CREDENTIALS Password is not correct
PAM_ACCT_EXPIRED LDAP_INVALID_CREDENTIALS User's password is expired
@@ -163,6 +165,7 @@
PAM_NEW_AUTHTOK_REQD LDAP_INVALID_CREDENTIALS User's password has expired and must be renewed
PAM_MAXTRIES LDAP_CONSTRAINT_VIOLATION Max retry count has been exceeded
Other codes LDAP_OPERATIONS_ERROR PAM config is incorrect, machine problem, etc.
+
There are three controls we might possibly add to the response:
* the auth response control - returned upon success - contains the BIND DN (u: not currently supported)
* LDAP_CONTROL_PWEXPIRED - returned when PAM reports ACCT_EXPIRED or NEW_AUTHTOK_REQD
@@ -182,7 +185,7 @@
1. Shutdown the server
2. Make sure the slapd-instance/config/schema contains the 60pam-config.ldif file
-3. Make sure serverroot/lib/pam-passthru-plugin.so exists
+3. Make sure plugindir/libpam-passthru-plugin.so exists
4. Make sure /etc/pam.d/ldapserver exists and is configured correctly
5. If the configuration is not already in dse.ldif, append the following to slapd-instance/config/dse.ldif
@@ -192,7 +195,7 @@
objectclass: extensibleObject
objectclass: pamConfig
cn: PAM Pass Through Auth
-nsslapd-pluginpath: /opt/ldapserver/lib/pam-passthru-plugin.so
+nsslapd-pluginpath: /path/to/libpam-passthru-plugin.so
nsslapd-plugininitfunc: pam_passthruauth_init
nsslapd-plugintype: preoperation
nsslapd-pluginenabled: on
@@ -210,7 +213,25 @@
o=NetscapeRoot may be omitted if this is not a configuration DS. Then
restart slapd.
+Testing
+
+I find it convenient to just test against regular /etc/passwd accounts.
+0) Create a server instance with suffix dc=example,dc=com and load the Example.ldif file
+1) cd /etc/pam.d
+2) cp system-auth ldapserver (make sure ldapserver is readable by nobody or whatever your ldap server account is)
+3) useradd scarter (or any uid from Example.ldif)
+4) passwd scarter - use a different password than the LDAP password
+5) Make sure /etc/shadow is readable by nobody or whatever your ldap server account is
+
+You might want to turn off pamSecure for testing purposes unless you have already set up your server and ldap clients to use TLS.
+
+Then you can run a test like this:
+ldapsearch -x -D "uid=scarter,ou=people,dc=example,dc=com" -w thepassword -s base -b ""
+
+Check /var/log/secure for any PAM authentication failures
+
See Also
+
PAM API for Linux http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html
PAM API for Solaris Writing PAM Applications and Services from the Solaris Security for Developers Guide http://docs.sun.com/app/docs/doc/816-4863/6mb20lvfh?a=view
PAM API for HP-UX http://docs.hp.com/en/B2355-60103/pam.3.html
Index: pam_ptconfig.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/pam_ptconfig.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- pam_ptconfig.c 10 Nov 2006 23:45:03 -0000 1.8
+++ pam_ptconfig.c 15 Mar 2007 18:21:37 -0000 1.9
@@ -266,7 +266,23 @@
return err;
}
-
+
+static void
+print_suffixes()
+{
+ void *cookie = NULL;
+ Slapi_DN *sdn = NULL;
+ slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
+ "The following is the list of valid suffixes to use with "
+ PAMPT_EXCLUDES_ATTR " and " PAMPT_INCLUDES_ATTR ":\n");
+ for (sdn = slapi_get_first_suffix(&cookie, 1);
+ sdn && cookie;
+ sdn = slapi_get_next_suffix(&cookie, 1)) {
+ slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
+ "\t%s\n", slapi_sdn_get_dn(sdn));
+ }
+}
+
/*
Validate the pending changes in the e entry.
*/
@@ -295,30 +311,27 @@
if (missing_suffix != PAMPT_MISSING_SUFFIX_IGNORE) {
char **missing_list = NULL;
- Slapi_DN *comp_dn = slapi_sdn_new();
/* get the list of excluded suffixes */
excludes = slapi_entry_attr_get_charray(e, PAMPT_EXCLUDES_ATTR);
for (ii = 0; excludes && excludes[ii]; ++ii) {
- slapi_sdn_init_dn_byref(comp_dn, excludes[ii]);
+ Slapi_DN *comp_dn = slapi_sdn_new_dn_byref(excludes[ii]);
if (!slapi_be_exist(comp_dn)) {
charray_add(&missing_list, slapi_ch_strdup(excludes[ii]));
}
- slapi_sdn_done(comp_dn);
+ slapi_sdn_free(&comp_dn);
}
/* get the list of included suffixes */
includes = slapi_entry_attr_get_charray(e, PAMPT_INCLUDES_ATTR);
for (ii = 0; includes && includes[ii]; ++ii) {
- slapi_sdn_init_dn_byref(comp_dn, includes[ii]);
+ Slapi_DN *comp_dn = slapi_sdn_new_dn_byref(includes[ii]);
if (!slapi_be_exist(comp_dn)) {
charray_add(&missing_list, slapi_ch_strdup(includes[ii]));
}
- slapi_sdn_done(comp_dn);
+ slapi_sdn_free(&comp_dn);
}
- slapi_sdn_free(&comp_dn);
-
if (missing_list) {
PRUint32 size =
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
@@ -333,6 +346,7 @@
}
slapi_ch_array_free(missing_list);
missing_list = NULL;
+ print_suffixes();
if (missing_suffix != PAMPT_MISSING_SUFFIX_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"Warning: %s\n", returntext);
@@ -398,8 +412,7 @@
Pam_PassthruSuffix *newone = NULL;
if (suffix) {
newone = (Pam_PassthruSuffix *)slapi_ch_malloc(sizeof(Pam_PassthruSuffix));
- newone->pamptsuffix_dn = slapi_sdn_new();
- slapi_sdn_init_dn_byval(newone->pamptsuffix_dn, suffix);
+ newone->pamptsuffix_dn = slapi_sdn_new_dn_byval(suffix);
newone->pamptsuffix_next = NULL;
}
return newone;
@@ -532,8 +545,7 @@
Pam_PassthruSuffix *try;
int ret = LDAP_SUCCESS;
- comp_dn = slapi_sdn_new();
- slapi_sdn_init_dn_byref(comp_dn, binddn);
+ comp_dn = slapi_sdn_new_dn_byref(binddn);
slapi_lock_mutex(cfg->lock);
if (!cfg->pamptconfig_includes && !cfg->pamptconfig_excludes) {
Index: pam_ptpreop.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/pam_ptpreop.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- pam_ptpreop.c 10 Nov 2006 23:45:03 -0000 1.6
+++ pam_ptpreop.c 15 Mar 2007 18:21:37 -0000 1.7
@@ -85,6 +85,9 @@
slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"=> pam_passthruauth_init\n" );
+ slapi_pblock_get (pb, SLAPI_PLUGIN_IDENTITY, &pam_passthruauth_plugin_identity);
+ PR_ASSERT (pam_passthruauth_plugin_identity);
+
if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION,
(void *)SLAPI_PLUGIN_VERSION_01 ) != 0
|| slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION,
More information about the Fedora-directory-commits
mailing list