[Fedora-directory-users] Securing the Pam Passthru plugin

Richard Megginson rmeggins at redhat.com
Thu May 25 14:34:08 UTC 2006 

Paul Engle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all,
>
> I've installed and configured the pam passthru plugin so that we can do 
> simple binds without having to store passwords in the directory. It's 
> working, but I can't seem to get the pamSecure attribute to take effect. My 
> entry in dse.ldif for the plugin is:
>
> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> objectClass: pamConfig
> cn: PAM Pass Through Auth
> nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so
> nsslapd-pluginInitfunc: pam_passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-pluginloadglobal: true
> nsslapd-plugin-depends-on-type: database
> pamMissingSuffix: ALLOW
> pamExcludeSuffix: o=NetscapeRoot
> pamExcludeSuffix: cn=config
> pamMapMethod: RDN
> pamFallback: FALSE
> pamSecure: TRUE
>   
Looks like these two fields are not expecting a boolean value, rather an 
integer value.  So, use 1 instead of TRUE and 0 instead of FALSE.
> pamService: ldapserver
> nsslapd-pluginId: pam_passthruauth
> nsslapd-pluginVersion: 1.0.2
> nsslapd-pluginVendor: Fedora Project
> nsslapd-pluginDescription: PAM pass through authentication plugin
>
> That's pretty much a cut & paste from the README that comes with the plugin 
> source. Docs are sketchy, but I thought that pamSecure was supposed to 
> prevent a non-SSL connection from being able to do the passthru bind? Even 
> though I have it set to true, I can bind to port 389 of my server with no 
> error. Obviously, that's not acceptable. Am I misunderstanding the purpose 
> of this attribute? If so, is there any other way to enforce TLS for simple 
> binds?
>
> Also, is there any plan to include this plugin in the default build of FDS? 
> It's included with the source, but it's commented out of the Makefile, at 
> least for version 1.0.2.
>   
No plans yet.  We're still trying to evaluate the general usefulness of 
it as well as its testability.
> Thanks,
>   -paul
>
> - -- 
> Paul D. Engle                | Rice University
> Sr. Systems Administrator    | Information Technology - MS119
> (713) 348-4702               | P.O. Box 1892
> pengle at rice.edu              | Houston, TX 77251-1892
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFEdbxkCpkISWtyHNsRApDyAKDoSSB0omRek5XhAdbsBJJ+ioP8DgCfWRsG
> LClbobetOFgcM/U8gBFoOyQ=
> =tgjh
> -----END PGP SIGNATURE-----
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060525/5319ab7a/attachment.bin>

More information about the 389-users mailing list