[389-users] PAM PTA partially working
Prashanth Sundaram
psundaram at wgen.net
Tue Sep 22 21:15:08 UTC 2009
Rich,
Andrey¹s suggestion worked. Yes, I have enabled SSL in the Admin server and
Directory Server. But it still would fall back on 389-ds password, when
³pamsecure=TRUE¹. If I set pamsecure=FALSE, the authentication passed
through to the AD as intended.
How do I secure the communication between 389-ds and LDAP server? I used
wireshark to capture packets, and it¹s all clear.
>
> To revisit, here's the observation: pamsecure when set to TRUE authenticates
> users only to the password in 389-ds, but when set to FALSE will
> authenticate to the AD password only if the uid exists in /etc/passwd.
>
That's really bizarre - the only place where pamSecure is used is here:
if (cfg->pamptconfig_secure) { /* is a secure connection required? */
int is_ssl = 0;
slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl);
if (!is_ssl) {
slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"<= connection not secure (secure connection required; check config)");
return retcode;
}
}
That is, if pamSecure is true, requests will be rejected unless using
TLS/SSL. Do you have your directory server configured to use TLS/SSL when
using pamSecure: TRUE?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090922/5d268e66/attachment.htm>
More information about the Fedora-directory-users
mailing list