[tac_plus] pam_ldap accepting blank passwords

Lee, Raymond Raymond.Lee at qwest.com
Fri Jun 10 18:00:30 UTC 2011


Many thanks to Greg Newton for this solution:

<quote>
Hi Raymond,
I had this very problem on Maverick. The version of nslcd in the repos
has a bug that allows this behaviour. Later versions (I think the
problem got sorted in 0.7.8ish) sort out the problem. I now pull nslcd
from launchpad (currently v0.7.13):
https://launchpad.net/ubuntu/+source/nss-pam-ldapd/

I've done this in our small lab and had no issues whatsoever.
Cheers,
Greg
</quote>


> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-
> bounces at shrubbery.net] On Behalf Of Lee, Raymond
> Sent: Thursday, June 09, 2011 5:48 PM
> To: tac_plus at shrubbery.net
> Subject: [tac_plus] pam_ldap accepting blank passwords
>
> Hi,
>
> Anyone out there running tac_plus on Ubuntu with pam_ldap?  I installed
> libnss-ldapd, libpam-ldapd, nscd, and nslcd.
>
> Things seem to be working OK for the most part:
> - I can authenticate against our LDAP server when I give a valid LDAP
> username and password.
> - I get denied access as expected if I give a valid LDAP username but a
> bad password.
> - I get denied access as expected if I give an invalid LDAP username.
>
> However, if I give a valid LDAP username and a blank password, it lets
> me in -- not good!  Seems like the LDAP server is accepting this as an
> anonymous bind.
>
>
> My /etc/pam.d/tac_plus looks like this:
>
>         auth    required        pam_ldap.so
>         account required        pam_ldap.so
>
>
>
> My /etc/nslcd.conf looks like this:
>
>         # /etc/nslcd.conf
>         # nslcd configuration file. See nslcd.conf(5)
>         # for details.
>
>         # The user and group nslcd should run as.
>         uid nslcd
>         gid nslcd
>
>         # The location at which the LDAP server(s) should be reachable.
>         uri ldaps://10.1.2.3:1636 ldaps://10.2.3.4:1636
>
>         # The search base that will be used for all queries.
>         base ou=People,dc=mnet,dc=qintra,dc=com
>
>         filter passwd (objectclass=mnetperson)
>
>         # The LDAP protocol version to use.
>         #ldap_version 3
>
>         # The DN to bind with for normal lookups.
>         binddn uid=proxyuser,ou=people,dc=mnet,dc=qintra,dc=com
>         bindpw ***********
>
>         # SSL options
>         #ssl off
>         tls_reqcert never
>
>         # The search scope.
>         #scope sub
>
>
>
> When I run 'nslcd -d' for debugging and try to authenticate with a
> blank password, I see this:
>
>
> nslcd: [e87ccd] DEBUG: connection from pid=18477 uid=0 gid=0
> nslcd: [e87ccd] DEBUG: nslcd_pam_authc("leeraym","","tac_plus","")
> nslcd: [e87ccd] DEBUG:
> myldap_search(base="ou=People,dc=mnet,dc=qintra,dc=com",
> filter="(&(objectclass=mnetperson)(uid=leeraym))")
> nslcd: [e87ccd] ldap_result() failed: Can't contact LDAP server
> nslcd: [e87ccd] DEBUG: ldap_abandon()
> nslcd: [e87ccd] DEBUG: ldap_unbind()
> nslcd: [e87ccd] DEBUG: myldap_get_entry(): retry search
> nslcd: [e87ccd] DEBUG: ldap_initialize(ldaps://10.1.2.3:1636)
> nslcd: [e87ccd] DEBUG: ldap_set_rebind_proc()
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [e87ccd] DEBUG:
> ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
> nslcd: [e87ccd] DEBUG:
> ldap_simple_bind_s("uid=proxyuser,ou=people,dc=mnet,dc=qintra,dc=com","
> *****") (uri="ldaps://10.1.2.3:1636")
> nslcd: [e87ccd] connected to LDAP server ldaps://10.1.2.3:1636
> nslcd: [e87ccd] DEBUG: ldap_initialize(ldaps://10.1.2.3:1636)
> nslcd: [e87ccd] DEBUG: ldap_set_rebind_proc()
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [e87ccd] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [e87ccd] DEBUG:
> ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
> nslcd: [e87ccd] DEBUG:
> ldap_simple_bind_s("uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com",emp
> ty) (uri="ldaps://10.1.2.3:1636")
> nslcd: [e87ccd] connected to LDAP server ldaps://10.1.5.7:1636
> nslcd: [e87ccd] DEBUG:
> myldap_search(base="uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com",
> filter="(objectclass=mnetperson)")
> nslcd: [e87ccd] DEBUG: ldap_result(): end of results
> nslcd: [e87ccd] DEBUG: ldap_unbind()
> nslcd: [1b58ba] DEBUG: connection from pid=18477 uid=0 gid=0
> nslcd: [1b58ba] DEBUG:
> nslcd_pam_authz("leeraym","uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=c
> om","tac_plus","","","")
>
>
>
> The last few lines of the debug look slightly different when I login
> using a valid username and password:
>
> <snip>
> nslcd: [7ed7ab] DEBUG:
> ldap_simple_bind_s("uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com","**
> ***") (uri="ldaps://10.1.2.3:1636")
> nslcd: [7ed7ab] connected to LDAP server ldaps://10.1.2.3:1636
> nslcd: [7ed7ab] DEBUG:
> myldap_search(base="uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=com",
> filter="(objectclass=mnetperson)")
> nslcd: [7ed7ab] DEBUG: ldap_unbind()
> nslcd: [b141f2] DEBUG: connection from pid=18484 uid=0 gid=0
> nslcd: [b141f2] DEBUG:
> nslcd_pam_authz("leeraym","uid=leeraym,ou=People,dc=mnet,dc=qintra,dc=c
> om","tac_plus","","","")
>
>
>
> Has anyone run into this behavior before?  Maybe I could resolve this
> if I had something above pam_ldap in my PAM stack that would check to
> make sure the password isn't blank?
>
> Thanks,
> Ray
>
> This communication is the property of Qwest and may contain
> confidential or
> privileged information. Unauthorized use of this communication is
> strictly
> prohibited and may be unlawful.  If you have received this
> communication
> in error, please immediately notify the sender by reply e-mail and
> destroy
> all copies of the communication and any attachments.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.


More information about the tac_plus mailing list