[Date Prev][Date Next]
Re: isn't pam_ldap inherently insecure?
On Wednesday, 9. January 2002 06:13, Prasad A. Chodavarapu wrote:
> pam_ldap seems to require 'read' access to the whole entry; i found this
> out thru openldap's debug trace. After successfully searching for an
> 'uid' (along with any filters set, e.g. objectClass=posixAccount),
> pam_ldap seems to attempt a 'read' of the entire 'entry' without
> rebinding to the DN of the user being authenticated. It thus requires
> 'read' privileges on all user accounts (in violation of the 'shadow'
> principles). There are two insecure ways out -
> a)grant read permissions on the entire user tree to 'anonymous' users!
> b)ask pam_ldap to bind as a special user who's granted 'read' on the
> entire user tree. This is insecure as well as the special user's DN and
> password has to be stored in clear text in /etc/ldap.conf, a world
> readable file (pam runs with the privileges of the user bring
> autheticated). Thus, you can't even get security by obscurity.
> What's a good way out or am I missing something?
I haven't looked into the pam_ldap-code (I would guess that's a question to
some other list...), but I rather doubt that there is a problem. If you got
the entry from the slap-logs it means that pam_ldap requires anonymous read
access to the pseudoattribute 'entry'. That is ideed the case, if you can't
anonymously read entry, you can't anonymously access anything in the object,
however access to the entry pseudoattribute gives you only access to the
object itself, but not to any of the attributes. I would guess to make
pam_ldap work, you would at least need anonymous read access to the
pseudoattribute entry and the attribute uid and auth access to the attribute
userPassword. You may also need some access to the ObjectClass attribute, I'm
not sure about this.
You definetly should not need read access to the userPassword attribute (and
that's less or more what the shadow thing is about...)
Stephan Siano Mail: Stephan.Siano@suse.de
SuSE Linux Solutions AG Phone: 06196 50951 31
Mergenthalerallee 45-47 Fax: 06196 409607