[Fedora-directory-users] Securing the Pam Passthru plugin
Richard Megginson
rmeggins at redhat.com
Thu May 25 14:34:08 UTC 2006
Paul Engle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all,
>
> I've installed and configured the pam passthru plugin so that we can do
> simple binds without having to store passwords in the directory. It's
> working, but I can't seem to get the pamSecure attribute to take effect. My
> entry in dse.ldif for the plugin is:
>
> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> objectClass: pamConfig
> cn: PAM Pass Through Auth
> nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so
> nsslapd-pluginInitfunc: pam_passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-pluginloadglobal: true
> nsslapd-plugin-depends-on-type: database
> pamMissingSuffix: ALLOW
> pamExcludeSuffix: o=NetscapeRoot
> pamExcludeSuffix: cn=config
> pamMapMethod: RDN
> pamFallback: FALSE
> pamSecure: TRUE
>
Looks like these two fields are not expecting a boolean value, rather an
integer value. So, use 1 instead of TRUE and 0 instead of FALSE.
> pamService: ldapserver
> nsslapd-pluginId: pam_passthruauth
> nsslapd-pluginVersion: 1.0.2
> nsslapd-pluginVendor: Fedora Project
> nsslapd-pluginDescription: PAM pass through authentication plugin
>
> That's pretty much a cut & paste from the README that comes with the plugin
> source. Docs are sketchy, but I thought that pamSecure was supposed to
> prevent a non-SSL connection from being able to do the passthru bind? Even
> though I have it set to true, I can bind to port 389 of my server with no
> error. Obviously, that's not acceptable. Am I misunderstanding the purpose
> of this attribute? If so, is there any other way to enforce TLS for simple
> binds?
>
> Also, is there any plan to include this plugin in the default build of FDS?
> It's included with the source, but it's commented out of the Makefile, at
> least for version 1.0.2.
>
No plans yet. We're still trying to evaluate the general usefulness of
it as well as its testability.
> Thanks,
> -paul
>
> - --
> Paul D. Engle | Rice University
> Sr. Systems Administrator | Information Technology - MS119
> (713) 348-4702 | P.O. Box 1892
> pengle at rice.edu | Houston, TX 77251-1892
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFEdbxkCpkISWtyHNsRApDyAKDoSSB0omRek5XhAdbsBJJ+ioP8DgCfWRsG
> LClbobetOFgcM/U8gBFoOyQ=
> =tgjh
> -----END PGP SIGNATURE-----
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060525/5319ab7a/attachment.bin>
More information about the Fedora-directory-users
mailing list