Securing the Pam Passthru plugin

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all,

I've installed and configured the pam passthru plugin so that we can do 
simple binds without having to store passwords in the directory. It's 
working, but I can't seem to get the pamSecure attribute to take effect. My 
entry in dse.ldif for the plugin is:

dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: o=NetscapeRoot
pamExcludeSuffix: cn=config
pamMapMethod: RDN
pamFallback: FALSE
pamSecure: TRUE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.0.2
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: PAM pass through authentication plugin

That's pretty much a cut & paste from the README that comes with the plugin 
source. Docs are sketchy, but I thought that pamSecure was supposed to 
prevent a non-SSL connection from being able to do the passthru bind? Even 
though I have it set to true, I can bind to port 389 of my server with no 
error. Obviously, that's not acceptable. Am I misunderstanding the purpose 
of this attribute? If so, is there any other way to enforce TLS for simple 
binds?

Also, is there any plan to include this plugin in the default build of FDS? 
It's included with the source, but it's commented out of the Makefile, at 
least for version 1.0.2.

Thanks,
  -paul

- -- 
Paul D. Engle                | Rice University
Sr. Systems Administrator    | Information Technology - MS119
(713) 348-4702               | P.O. Box 1892
pengle@xxxxxxxx              | Houston, TX 77251-1892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEdbxkCpkISWtyHNsRApDyAKDoSSB0omRek5XhAdbsBJJ+ioP8DgCfWRsG
LClbobetOFgcM/U8gBFoOyQ=
=tgjh
-----END PGP SIGNATURE-----

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux