[Fedora-directory-users] Securing the Pam Passthru plugin
Paul Engle
pengle at rice.edu
Thu May 25 14:17:08 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all,
I've installed and configured the pam passthru plugin so that we can do
simple binds without having to store passwords in the directory. It's
working, but I can't seem to get the pamSecure attribute to take effect. My
entry in dse.ldif for the plugin is:
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: o=NetscapeRoot
pamExcludeSuffix: cn=config
pamMapMethod: RDN
pamFallback: FALSE
pamSecure: TRUE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.0.2
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: PAM pass through authentication plugin
That's pretty much a cut & paste from the README that comes with the plugin
source. Docs are sketchy, but I thought that pamSecure was supposed to
prevent a non-SSL connection from being able to do the passthru bind? Even
though I have it set to true, I can bind to port 389 of my server with no
error. Obviously, that's not acceptable. Am I misunderstanding the purpose
of this attribute? If so, is there any other way to enforce TLS for simple
binds?
Also, is there any plan to include this plugin in the default build of FDS?
It's included with the source, but it's commented out of the Makefile, at
least for version 1.0.2.
Thanks,
-paul
- --
Paul D. Engle | Rice University
Sr. Systems Administrator | Information Technology - MS119
(713) 348-4702 | P.O. Box 1892
pengle at rice.edu | Houston, TX 77251-1892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFEdbxkCpkISWtyHNsRApDyAKDoSSB0omRek5XhAdbsBJJ+ioP8DgCfWRsG
LClbobetOFgcM/U8gBFoOyQ=
=tgjh
-----END PGP SIGNATURE-----
More information about the Fedora-directory-users
mailing list