[tac_plus] pam_ldap accepting blank passwords

Lee, Raymond Raymond.Lee at qwest.com
Thu Jun 9 21:48:29 UTC 2011 

Hi,

Anyone out there running tac_plus on Ubuntu with pam_ldap?  I installed libnss-ldapd, libpam-ldapd, nscd, and nslcd.

Things seem to be working OK for the most part:
- I can authenticate against our LDAP server when I give a valid LDAP username and password.
- I get denied access as expected if I give a valid LDAP username but a bad password.
- I get denied access as expected if I give an invalid LDAP username.

However, if I give a valid LDAP username and a blank password, it lets me in -- not good!  Seems like the LDAP server is accepting this as an anonymous bind.


My /etc/pam.d/tac_plus looks like this:

        auth    required        pam_ldap.so
        account required        pam_ldap.so



My /etc/nslcd.conf looks like this:

        # /etc/nslcd.conf
        # nslcd configuration file. See nslcd.conf(5)
        # for details.

        # The user and group nslcd should run as.
        uid nslcd
        gid nslcd

        # The location at which the LDAP server(s) should be reachable.
        uri ldaps://10.1.2.3:1636 ldaps://10.2.3.4:1636

        # The search base that will be used for all queries.
        base ou=People,dc=mnet,dc=qintra,dc=com

        filter passwd (objectclass=mnetperson)

        # The LDAP protocol version to use.
        #ldap_version 3

        # The DN to bind with for normal lookups.
        binddn uid=proxyuser,ou=people,dc=mnet,dc=qintra,dc=com
        bindpw ***********

        # SSL options
        #ssl off
        tls_reqcert never

        # The search scope.
        #scope sub



When I run 'nslcd -d' for debugging and try to authenticate with a blank password, I see this:


nslcd: [e87ccd] DEBUG: connection from pid=18477 uid=0 gid=0
nslcd: [e87ccd] DEBUG: nslcd_pam_authc("leeraym","","tac_plus","")
nslcd: [e87ccd] DEBUG: myldap_search(base="ou=People,dc=mnet,dc=qintra,dc=com", filter="(&(objectclass=mnetperson)(uid=leeraym))")
nslcd: [e87ccd] ldap_result() failed: Can't contact LDAP server
nslcd: [e87ccd] DEBUG: ldap_abandon()
nslcd: [e87ccd] DEBUG: ldap_unbind()
nslcd: [e87ccd] DEBUG: myldap_get_entry(): retry search
nslcd: [e87ccd] DEBUG: ldap_initialize(ldaps://10.1.2.3:1636)
nslcd: [e87ccd] DEBUG: ldap_set_rebind_proc()
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [e87ccd] DEBUG: ldap_simple_bind_s("uid=proxyuser,ou=people,dc=mnet,dc=qintra,dc=com","*****") (uri="ldaps://10.1.2.3:1636")
nslcd: [e87ccd] connected to LDAP server ldaps://10.1.2.3:1636
nslcd: [e87ccd] DEBUG: ldap_initialize(ldaps://10.1.2.3:1636)
nslcd: [e87ccd] DEBUG: ldap_set_rebind_proc()
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [e87ccd] DEBUG: ldap_simple_bind_s("uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com",empty) (uri="ldaps://10.1.2.3:1636")
nslcd: [e87ccd] connected to LDAP server ldaps://10.1.5.7:1636
nslcd: [e87ccd] DEBUG: myldap_search(base="uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com", filter="(objectclass=mnetperson)")
nslcd: [e87ccd] DEBUG: ldap_result(): end of results
nslcd: [e87ccd] DEBUG: ldap_unbind()
nslcd: [1b58ba] DEBUG: connection from pid=18477 uid=0 gid=0
nslcd: [1b58ba] DEBUG: nslcd_pam_authz("leeraym","uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com","tac_plus","","","")



The last few lines of the debug look slightly different when I login using a valid username and password:

<snip>
nslcd: [7ed7ab] DEBUG: ldap_simple_bind_s("uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com","*****") (uri="ldaps://10.1.2.3:1636")
nslcd: [7ed7ab] connected to LDAP server ldaps://10.1.2.3:1636
nslcd: [7ed7ab] DEBUG: myldap_search(base="uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com", filter="(objectclass=mnetperson)")
nslcd: [7ed7ab] DEBUG: ldap_unbind()
nslcd: [b141f2] DEBUG: connection from pid=18484 uid=0 gid=0
nslcd: [b141f2] DEBUG: nslcd_pam_authz("leeraym","uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com","tac_plus","","","")



Has anyone run into this behavior before?  Maybe I could resolve this if I had something above pam_ldap in my PAM stack that would check to make sure the password isn't blank?

Thanks,
Ray

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the tac_plus mailing list