Your message dated Thu, 10 Mar 2011 23:18:58 +0000
with message-id <[email protected]>
and subject line Bug#610925: fixed in nss-pam-ldapd 0.8.1
has caused the Debian Bug report #610925,
regarding nslcd: please clarify the meaning of the $hostname variable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
610925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610925
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nslcd
Version: 0.7.13
Severity: normal
Hi there!
This bug is a (sorf of) follow-up for #610888 (thank you Arthur for the
quick reply).
According to the nslcd.conf manpage [1], the pam_check_host_attr option
in PADL's pam_ldap can be emulated with the following filter for
pam_authz_search:
(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(!(host=*))))
[1] <http://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#pam_authz_search>
However, the result is not the same as with the default behavior of
pam_check_host_attr, at least for 2 reasons:
1) 'host=*' is not honoured
I am not an LDAP expert and I could not find any documentation
(authoritative or not) about the accepted values for this LDAP
attribute, so I do not know who is at fault here.
FWIW, the Debian wiki publicises 'host=*' as a valid entry in the
"Allowing logins on a per-host basis" section at
<http://wiki.debian.org/LDAP/PAM>.
After having tested with `ldapsearch -x`, I ended up with
(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=\*)))
However, this seems not to work and nlscd translates it as:
myldap_search(base="dc=pca,dc=it", \
filter="(&(objectClass=posixAccount)(uid=$username)\
(|(host=$hostname)(host=*)))")
As you can see, nslcd removes the escape and the correct results is
obtained with a double escape in nslcd.conf:
(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=\\*)))
I could not find any documentation about escaping in the
pam_authz_search filter...
2) the variable $hostname contains the value of `hostname` and not the
FQDN like with PADL's pam_ldap, thus a tricky filter must be used:
(&(objectClass=posixAccount)(uid=$username)\
(|(host=$hostname)(host=$hostname.$DOMAIN)(!(host=*))))
Again, the major problem resides on the definition of the LDAP 'host'
attribute, i.e. if FQDNs *must* be used or not.
BTW, I was expecting any PAM-related output to be in /var/log/auth.log,
until I realized that nslcd logs to /var/log/syslog.
Thx, bye,
Gismo / Luca
-- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.36-rc6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages nslcd depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.38 Debian configuration management sy
ii libc6 2.11.2-9 Embedded GNU C Library: Shared lib
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libldap-2.4-2 2.4.23-7 OpenLDAP libraries
Versions of packages nslcd recommends:
ii libnss-ldapd [libnss-ldap] 0.7.13 NSS module for using LDAP as a nam
ii libpam-ldapd [libpam-ldap] 0.7.13 PAM module for using LDAP as an au
pn nscd <none> (no description available)
Versions of packages nslcd suggests:
pn kstart <none> (no description available)
-- debconf information:
nslcd/ldap-starttls: false
nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://ldap.pca.it
nslcd/ldap-binddn:
* nslcd/ldap-base: dc=pca,dc=it
pgpkfjJCe0LFF.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: nss-pam-ldapd
Source-Version: 0.8.1
We believe that the bug you reported is fixed in the latest version of
nss-pam-ldapd, which is due to be installed in the Debian FTP archive:
libnss-ldapd_0.8.1_i386.deb
to main/n/nss-pam-ldapd/libnss-ldapd_0.8.1_i386.deb
libpam-ldapd_0.8.1_i386.deb
to main/n/nss-pam-ldapd/libpam-ldapd_0.8.1_i386.deb
nslcd_0.8.1_i386.deb
to main/n/nss-pam-ldapd/nslcd_0.8.1_i386.deb
nss-pam-ldapd_0.8.1.dsc
to main/n/nss-pam-ldapd/nss-pam-ldapd_0.8.1.dsc
nss-pam-ldapd_0.8.1.tar.gz
to main/n/nss-pam-ldapd/nss-pam-ldapd_0.8.1.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arthur de Jong <[email protected]> (supplier of updated nss-pam-ldapd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 10 Mar 2011 22:00:00 +0100
Source: nss-pam-ldapd
Binary: nslcd libnss-ldapd libpam-ldapd
Architecture: source i386
Version: 0.8.1
Distribution: experimental
Urgency: low
Maintainer: Arthur de Jong <[email protected]>
Changed-By: Arthur de Jong <[email protected]>
Description:
libnss-ldapd - NSS module for using LDAP as a naming service
libpam-ldapd - PAM module for using LDAP as an authentication service
nslcd - Daemon for NSS and PAM lookups using LDAP
Closes: 610925
Changes:
nss-pam-ldapd (0.8.1) experimental; urgency=low
.
* SECURITY FIX: the PAM module will allow authentication for users that do
not exist in LDAP, this allows login to local users with an
incorrect password (CVE-2011-0438)
the explotability of the problem depends on the details of
the PAM stack and the use of the minimum_uid PAM option
* add FreeBSD support, partially imported from the FreeBSD port (thanks to
Jacques Vidrine, Artem Kazakov and Alexander V. Chernikov)
* document how to replace name pam_check_service_attr and
pam_check_host_attr options in PADL's pam_ldap with with pam_authz_search
in nss-pam-ldapd (closes: #610925)
* implement a fqdn variable that can be used in pam_authz_search filters
* create the directory to hold the socket and pidfile on startup
* implement host, network and netgroup support in pynslcd
Checksums-Sha1:
21d65885f242a0c9cef23c072662454e3bd031e3 1102 nss-pam-ldapd_0.8.1.dsc
3507457b09667affe73538e09cbb404e31b7f718 532186 nss-pam-ldapd_0.8.1.tar.gz
8cd3a9fffde91c8230953d7777766eb38d1f79a8 128144 nslcd_0.8.1_i386.deb
12c6c768ae7356a45b2b9591ea1ad98112678215 45218 libnss-ldapd_0.8.1_i386.deb
701b818745b4eb2a3e96f5ae4e1435ab216dd2f9 38280 libpam-ldapd_0.8.1_i386.deb
Checksums-Sha256:
5313ddb1810abad94f8872e3913b9068afc67c32a611bc46db9784b33f4b294c 1102
nss-pam-ldapd_0.8.1.dsc
ea2f11a26967e9bcaa8fda4e547fdfbf1dae5b23312f2ee8a79dedc2b3d5c91d 532186
nss-pam-ldapd_0.8.1.tar.gz
af01f74d2d21c44148a0bf840951cdc629b7831427e84a4806745f986013edb9 128144
nslcd_0.8.1_i386.deb
d40f90f22fa6018a72faa39678dd62bb00a621140613f0c5103332b73091a000 45218
libnss-ldapd_0.8.1_i386.deb
35bf91c7d23ecad26a76652866c501556fbe1b483ddaf04694c9dd7a696c3458 38280
libpam-ldapd_0.8.1_i386.deb
Files:
d315209b322dbe8b753830adceff05ad 1102 admin extra nss-pam-ldapd_0.8.1.dsc
8d3216b76e1291f95072466508ad8b26 532186 admin extra nss-pam-ldapd_0.8.1.tar.gz
ab5ab3975d9669fafd868f7b3415abf7 128144 admin extra nslcd_0.8.1_i386.deb
e196e10fefe011aea20cfedb6f1f957d 45218 admin extra libnss-ldapd_0.8.1_i386.deb
b68cdcd65509556be8d98ac278b6e3ae 38280 admin extra libpam-ldapd_0.8.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk15RtoACgkQVYan35+NCKfDgACeMgcqRzQ2F7FpEI7h7J7azQVX
EtMAn02ckIZzsiBB5jG21kETtz9yqhGt
=C+zX
-----END PGP SIGNATURE-----
--- End Message ---
