[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: isn't pam_ldap inherently insecure?

On Wednesday, 9. January 2002 06:13, Prasad A. Chodavarapu wrote:
> pam_ldap seems to require 'read' access to the whole entry; i found this
> out thru openldap's debug trace. After successfully searching for an
> 'uid' (along with any filters set, e.g. objectClass=posixAccount),
> pam_ldap seems to attempt a 'read' of the entire 'entry' without
> rebinding to the DN of the user being authenticated. It thus requires
> 'read' privileges on all user accounts (in violation of the 'shadow'
> principles). There are two insecure ways out -
> a)grant read permissions on the entire user tree to 'anonymous' users!
> or
> b)ask pam_ldap to bind as a special user who's granted 'read' on the
> entire user tree. This is insecure as well as the special user's DN and
> password has to be stored in clear text in /etc/ldap.conf, a world
> readable file (pam runs with the privileges of the user bring
> autheticated). Thus, you can't even get security by obscurity.
> What's a good way out or am I missing something?

I haven't looked into the pam_ldap-code (I would guess that's a question to 
some other list...), but I rather doubt that there is a problem. If you got 
the entry from the slap-logs it means that pam_ldap requires anonymous read 
access to the pseudoattribute 'entry'. That is ideed the case, if you can't 
anonymously read entry, you can't anonymously access anything in the object, 
however access to the entry pseudoattribute gives you only access to the 
object itself, but not to any of the attributes. I would guess to make 
pam_ldap work, you would at least need anonymous read access to the 
pseudoattribute entry and the attribute uid and auth access to the attribute 
userPassword. You may also need some access to the ObjectClass attribute, I'm 
not sure about this.

You definetly should not need read access to the userPassword attribute (and 
that's less or more what the shadow thing is about...)


Stephan Siano

Stephan Siano                           Mail:  Stephan.Siano@suse.de
SuSE Linux Solutions AG                 Phone: 06196 50951 31
Mergenthalerallee 45-47			Fax:   06196 409607
D-65760 Eschborn