Paul Engle wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hello all, > > I've installed and configured the pam passthru plugin so that we can do > simple binds without having to store passwords in the directory. It's > working, but I can't seem to get the pamSecure attribute to take effect. My > entry in dse.ldif for the plugin is: > > dn: cn=PAM Pass Through Auth,cn=plugins,cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > objectClass: pamConfig > cn: PAM Pass Through Auth > nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so > nsslapd-pluginInitfunc: pam_passthruauth_init > nsslapd-pluginType: preoperation > nsslapd-pluginEnabled: on > nsslapd-pluginloadglobal: true > nsslapd-plugin-depends-on-type: database > pamMissingSuffix: ALLOW > pamExcludeSuffix: o=NetscapeRoot > pamExcludeSuffix: cn=config > pamMapMethod: RDN > pamFallback: FALSE > pamSecure: TRUE > Looks like these two fields are not expecting a boolean value, rather an integer value. So, use 1 instead of TRUE and 0 instead of FALSE. > pamService: ldapserver > nsslapd-pluginId: pam_passthruauth > nsslapd-pluginVersion: 1.0.2 > nsslapd-pluginVendor: Fedora Project > nsslapd-pluginDescription: PAM pass through authentication plugin > > That's pretty much a cut & paste from the README that comes with the plugin > source. Docs are sketchy, but I thought that pamSecure was supposed to > prevent a non-SSL connection from being able to do the passthru bind? Even > though I have it set to true, I can bind to port 389 of my server with no > error. Obviously, that's not acceptable. Am I misunderstanding the purpose > of this attribute? If so, is there any other way to enforce TLS for simple > binds? > > Also, is there any plan to include this plugin in the default build of FDS? > It's included with the source, but it's commented out of the Makefile, at > least for version 1.0.2. > No plans yet. We're still trying to evaluate the general usefulness of it as well as its testability. > Thanks, > -paul > > - -- > Paul D. Engle | Rice University > Sr. Systems Administrator | Information Technology - MS119 > (713) 348-4702 | P.O. Box 1892 > pengle at rice.edu | Houston, TX 77251-1892 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFEdbxkCpkISWtyHNsRApDyAKDoSSB0omRek5XhAdbsBJJ+ioP8DgCfWRsG > LClbobetOFgcM/U8gBFoOyQ= > =tgjh > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060525/5319ab7a/attachment.bin
