diff options
author | Rich Megginson <rmeggins@redhat.com> | 2007-03-15 18:21:43 +0000 |
---|---|---|
committer | Rich Megginson <rmeggins@redhat.com> | 2007-03-15 18:21:43 +0000 |
commit | 4f079fb8eb74f636aeb8ac64ebfb88b714fe1909 (patch) | |
tree | aa19d108e4b5c68a7ec9dffcc8e4a0a972e60b5d | |
parent | 7f07b4f138f52e9d523f69d80ef4ecfeb98301cd (diff) | |
download | ds-4f079fb8eb74f636aeb8ac64ebfb88b714fe1909.tar.gz ds-4f079fb8eb74f636aeb8ac64ebfb88b714fe1909.tar.xz ds-4f079fb8eb74f636aeb8ac64ebfb88b714fe1909.zip |
Resolves: bug 232377
Bug Description: PAM passthru ENTRY method not working
Reviewed by: prowley (Thanks!)
Fix Description: There are several problems.
1) For the ENTRY method to perform the internal search to get the entry for the bind DN, it must have a component ID (aka plugin identity). The code was already there to get/set it, but it was never initialized in the init function.
2) You cannot mix slapi_sdn_new* with slapi_sdn_init* - slapi_sdn_init will erase the knowledge that the Slapi_DN was allocated with malloc and it will not free it in slapi_sdn_free().
3) People may assume they can specify a subtree (e.g. ou=people,dc=example,dc=com) instead of a suffix for the list of included/excluded suffixes. The error message will not print a list of valid suffixes for the admin to use.
4) slapi_be_exist was failing because the database does not notify the mapping tree code that the backend is started during startup. This works fine under normal conditions because most all of the code in mapping_tree.c will lookup the backend if the mtn_be pointer in the mapping tree node is NULL. However, slapi_be_exist and slapi_be_select do not do this. The proper solution is to call slapi_mtn_be_started() at database startup time. This is the same thing that happens when a backend is added at runtime.
Platforms tested: FC6
Flag Day: no
Doc impact: no
-rw-r--r-- | ldap/servers/plugins/pam_passthru/README | 25 | ||||
-rw-r--r-- | ldap/servers/plugins/pam_passthru/pam_ptconfig.c | 36 | ||||
-rw-r--r-- | ldap/servers/plugins/pam_passthru/pam_ptpreop.c | 3 | ||||
-rw-r--r-- | ldap/servers/slapd/back-ldbm/instance.c | 1 | ||||
-rw-r--r-- | ldap/servers/slapd/backend_manager.c | 4 | ||||
-rw-r--r-- | ldap/servers/slapd/mapping_tree.c | 6 |
6 files changed, 61 insertions, 14 deletions
diff --git a/ldap/servers/plugins/pam_passthru/README b/ldap/servers/plugins/pam_passthru/README index c0a6354f..9f294ba5 100644 --- a/ldap/servers/plugins/pam_passthru/README +++ b/ldap/servers/plugins/pam_passthru/README @@ -155,7 +155,9 @@ values when the password has expired. So we need to call pam_acct_mgmt() somewhere during the pam handshakes and before pam_end() to get this information. We also try to return an appropriate LDAP error code. + PAM Error Code LDAP Error Code Meaning +============== =============== ======= PAM_USER_UNKNOWN LDAP_NO_SUCH_OBJECT User ID does not exist PAM_AUTH_ERROR LDAP_INVALID_CREDENTIALS Password is not correct PAM_ACCT_EXPIRED LDAP_INVALID_CREDENTIALS User's password is expired @@ -163,6 +165,7 @@ PAM_PERM_DENIED LDAP_UNWILLING_TO_PERFORM User's account is locked out PAM_NEW_AUTHTOK_REQD LDAP_INVALID_CREDENTIALS User's password has expired and must be renewed PAM_MAXTRIES LDAP_CONSTRAINT_VIOLATION Max retry count has been exceeded Other codes LDAP_OPERATIONS_ERROR PAM config is incorrect, machine problem, etc. + There are three controls we might possibly add to the response: * the auth response control - returned upon success - contains the BIND DN (u: not currently supported) * LDAP_CONTROL_PWEXPIRED - returned when PAM reports ACCT_EXPIRED or NEW_AUTHTOK_REQD @@ -182,7 +185,7 @@ Configuration 1. Shutdown the server 2. Make sure the slapd-instance/config/schema contains the 60pam-config.ldif file -3. Make sure serverroot/lib/pam-passthru-plugin.so exists +3. Make sure plugindir/libpam-passthru-plugin.so exists 4. Make sure /etc/pam.d/ldapserver exists and is configured correctly 5. If the configuration is not already in dse.ldif, append the following to slapd-instance/config/dse.ldif @@ -192,7 +195,7 @@ objectclass: nsSlapdPlugin objectclass: extensibleObject objectclass: pamConfig cn: PAM Pass Through Auth -nsslapd-pluginpath: /opt/ldapserver/lib/pam-passthru-plugin.so +nsslapd-pluginpath: /path/to/libpam-passthru-plugin.so nsslapd-plugininitfunc: pam_passthruauth_init nsslapd-plugintype: preoperation nsslapd-pluginenabled: on @@ -210,7 +213,25 @@ Make sure there is a blank line at the end. The line with o=NetscapeRoot may be omitted if this is not a configuration DS. Then restart slapd. +Testing + +I find it convenient to just test against regular /etc/passwd accounts. +0) Create a server instance with suffix dc=example,dc=com and load the Example.ldif file +1) cd /etc/pam.d +2) cp system-auth ldapserver (make sure ldapserver is readable by nobody or whatever your ldap server account is) +3) useradd scarter (or any uid from Example.ldif) +4) passwd scarter - use a different password than the LDAP password +5) Make sure /etc/shadow is readable by nobody or whatever your ldap server account is + +You might want to turn off pamSecure for testing purposes unless you have already set up your server and ldap clients to use TLS. + +Then you can run a test like this: +ldapsearch -x -D "uid=scarter,ou=people,dc=example,dc=com" -w thepassword -s base -b "" + +Check /var/log/secure for any PAM authentication failures + See Also + PAM API for Linux http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html PAM API for Solaris Writing PAM Applications and Services from the Solaris Security for Developers Guide http://docs.sun.com/app/docs/doc/816-4863/6mb20lvfh?a=view PAM API for HP-UX http://docs.hp.com/en/B2355-60103/pam.3.html diff --git a/ldap/servers/plugins/pam_passthru/pam_ptconfig.c b/ldap/servers/plugins/pam_passthru/pam_ptconfig.c index 4528802b..4447c8a7 100644 --- a/ldap/servers/plugins/pam_passthru/pam_ptconfig.c +++ b/ldap/servers/plugins/pam_passthru/pam_ptconfig.c @@ -266,7 +266,23 @@ parse_map_method(char *map_method, int *one, int *two, int *three, char *returnt return err; } - + +static void +print_suffixes() +{ + void *cookie = NULL; + Slapi_DN *sdn = NULL; + slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, + "The following is the list of valid suffixes to use with " + PAMPT_EXCLUDES_ATTR " and " PAMPT_INCLUDES_ATTR ":\n"); + for (sdn = slapi_get_first_suffix(&cookie, 1); + sdn && cookie; + sdn = slapi_get_next_suffix(&cookie, 1)) { + slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, + "\t%s\n", slapi_sdn_get_dn(sdn)); + } +} + /* Validate the pending changes in the e entry. */ @@ -295,30 +311,27 @@ pam_passthru_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_ if (missing_suffix != PAMPT_MISSING_SUFFIX_IGNORE) { char **missing_list = NULL; - Slapi_DN *comp_dn = slapi_sdn_new(); /* get the list of excluded suffixes */ excludes = slapi_entry_attr_get_charray(e, PAMPT_EXCLUDES_ATTR); for (ii = 0; excludes && excludes[ii]; ++ii) { - slapi_sdn_init_dn_byref(comp_dn, excludes[ii]); + Slapi_DN *comp_dn = slapi_sdn_new_dn_byref(excludes[ii]); if (!slapi_be_exist(comp_dn)) { charray_add(&missing_list, slapi_ch_strdup(excludes[ii])); } - slapi_sdn_done(comp_dn); + slapi_sdn_free(&comp_dn); } /* get the list of included suffixes */ includes = slapi_entry_attr_get_charray(e, PAMPT_INCLUDES_ATTR); for (ii = 0; includes && includes[ii]; ++ii) { - slapi_sdn_init_dn_byref(comp_dn, includes[ii]); + Slapi_DN *comp_dn = slapi_sdn_new_dn_byref(includes[ii]); if (!slapi_be_exist(comp_dn)) { charray_add(&missing_list, slapi_ch_strdup(includes[ii])); } - slapi_sdn_done(comp_dn); + slapi_sdn_free(&comp_dn); } - slapi_sdn_free(&comp_dn); - if (missing_list) { PRUint32 size = PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, @@ -333,6 +346,7 @@ pam_passthru_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_ } slapi_ch_array_free(missing_list); missing_list = NULL; + print_suffixes(); if (missing_suffix != PAMPT_MISSING_SUFFIX_ERROR) { slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "Warning: %s\n", returntext); @@ -398,8 +412,7 @@ New_Pam_PassthruSuffix(char *suffix) Pam_PassthruSuffix *newone = NULL; if (suffix) { newone = (Pam_PassthruSuffix *)slapi_ch_malloc(sizeof(Pam_PassthruSuffix)); - newone->pamptsuffix_dn = slapi_sdn_new(); - slapi_sdn_init_dn_byval(newone->pamptsuffix_dn, suffix); + newone->pamptsuffix_dn = slapi_sdn_new_dn_byval(suffix); newone->pamptsuffix_next = NULL; } return newone; @@ -532,8 +545,7 @@ pam_passthru_check_suffix(Pam_PassthruConfig *cfg, char *binddn) Pam_PassthruSuffix *try; int ret = LDAP_SUCCESS; - comp_dn = slapi_sdn_new(); - slapi_sdn_init_dn_byref(comp_dn, binddn); + comp_dn = slapi_sdn_new_dn_byref(binddn); slapi_lock_mutex(cfg->lock); if (!cfg->pamptconfig_includes && !cfg->pamptconfig_excludes) { diff --git a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c index b27d4dc3..254a30a1 100644 --- a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c +++ b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c @@ -85,6 +85,9 @@ pam_passthruauth_init( Slapi_PBlock *pb ) slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "=> pam_passthruauth_init\n" ); + slapi_pblock_get (pb, SLAPI_PLUGIN_IDENTITY, &pam_passthruauth_plugin_identity); + PR_ASSERT (pam_passthruauth_plugin_identity); + if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, (void *)SLAPI_PLUGIN_VERSION_01 ) != 0 || slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, diff --git a/ldap/servers/slapd/back-ldbm/instance.c b/ldap/servers/slapd/back-ldbm/instance.c index b9fc8838..1e02ac4d 100644 --- a/ldap/servers/slapd/back-ldbm/instance.c +++ b/ldap/servers/slapd/back-ldbm/instance.c @@ -278,6 +278,7 @@ ldbm_instance_startall(struct ldbminfo *li) rc = rc1; } else { vlv_init(inst); + slapi_mtn_be_started(inst->inst_be); } inst_obj = objset_next_obj(li->li_instance_set, inst_obj); } diff --git a/ldap/servers/slapd/backend_manager.c b/ldap/servers/slapd/backend_manager.c index 5ae39b81..b8af0eb6 100644 --- a/ldap/servers/slapd/backend_manager.c +++ b/ldap/servers/slapd/backend_manager.c @@ -80,6 +80,10 @@ slapi_be_new( const char *type, const char *name, int isprivate, int logchanges backends[i] = be; nbackends++; + + slapi_log_error(SLAPI_LOG_TRACE, "slapi_be_new", + "Added new backend name [%s] type [%s] nbackends [%d]\n", + name, type, nbackends); return( be ); } diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c index 5667b0b4..3947dd60 100644 --- a/ldap/servers/slapd/mapping_tree.c +++ b/ldap/servers/slapd/mapping_tree.c @@ -324,6 +324,12 @@ mapping_tree_node_new(Slapi_DN *dn, Slapi_Backend **be, char **backend_names, in node->mtn_dstr_plg_name = plg_fct; node->mtn_dstr_plg = plg; + slapi_log_error(SLAPI_LOG_TRACE, "mapping_tree", + "Created new mapping tree node for suffix [%s] backend [%s] [%p]\n", + slapi_sdn_get_dn(dn), + backend_names && backend_names[0] ? backend_names[0] : "null", + be ? be[0] : NULL); + return node; } |