Re: Securing the Pam Passthru plugin

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Paul Engle wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all,
I've installed and configured the pam passthru plugin so that we can do simple binds without having to store passwords in the directory. It's working, but I can't seem to get the pamSecure attribute to take effect. My entry in dse.ldif for the plugin is: 

dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: o=NetscapeRoot
pamExcludeSuffix: cn=config
pamMapMethod: RDN
pamFallback: FALSE
pamSecure: TRUE
Looks like these two fields are not expecting a boolean value, rather an integer value. So, use 1 instead of TRUE and 0 instead of FALSE. 
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.0.2
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: PAM pass through authentication plugin
That's pretty much a cut & paste from the README that comes with the plugin source. Docs are sketchy, but I thought that pamSecure was supposed to prevent a non-SSL connection from being able to do the passthru bind? Even though I have it set to true, I can bind to port 389 of my server with no error. Obviously, that's not acceptable. Am I misunderstanding the purpose of this attribute? If so, is there any other way to enforce TLS for simple binds?
Also, is there any plan to include this plugin in the default build of FDS? It's included with the source, but it's commented out of the Makefile, at least for version 1.0.2.
No plans yet. We're still trying to evaluate the general usefulness of it as well as its testability. 
Thanks,
  -paul
- -- Paul D. Engle | Rice University 
Sr. Systems Administrator    | Information Technology - MS119
(713) 348-4702               | P.O. Box 1892
pengle@xxxxxxxx              | Houston, TX 77251-1892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEdbxkCpkISWtyHNsRApDyAKDoSSB0omRek5XhAdbsBJJ+ioP8DgCfWRsG
LClbobetOFgcM/U8gBFoOyQ=
=tgjh
-----END PGP SIGNATURE-----

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux