[389-users] PAM PTA partially working

[Rich Megginson]

Prashanth Sundaram wrote:
> Rich,
>
> Andrey’s suggestion worked. Yes, I have enabled SSL in the Admin 
> server and Directory Server. But it still would fall back on 389-ds 
> password, when “pamsecure=TRUE’. If I set pamsecure=FALSE, the 
> authentication passed through to the AD as intended.
>
> How do I secure the communication between 389-ds and LDAP server?
I'm not sure what you mean - 389-ds is the LDAP server?
> I used wireshark to capture packets, and it’s all clear.
man pam_ldap - you'll have to configure /etc/ldap.conf to use TLS and 
provide a CA cert.
>
>
>
>
>     To revisit, here's the observation: pamsecure when set to TRUE
>     authenticates
>     users only to the password in 389-ds, but when set to FALSE will
>     authenticate to the AD password only if the uid exists in /etc/passwd.
>
> That's really bizarre - the only place where pamSecure is used is here:
> if (cfg->pamptconfig_secure) { /* is a secure connection required? */
> int is_ssl = 0;
> slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl);
> if (!is_ssl) {
> slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "<= 
> connection not secure (secure connection required; check config)");
> return retcode;
> }
> }
> That is, if pamSecure is true, requests will be rejected unless using 
> TLS/SSL. Do you have your directory server configured to use TLS/SSL 
> when using pamSecure: TRUE?
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090922/415bf91c/attachment.bin>