I came across a similar bug where enabling chaining between a master and slave allows invalid passwords to be accepted by pam_ldap. Unfortunately, no word from OpenLDAP or pam_ldap maintainers on the issue. I have been looking at pam_ldap source code but haven't been able to pinpoint the issue. In my case, it has something to do with password policy not being handled properly when chaining is enabled. I suggest try tweaking those "pam_password" statements and see if you can deduce anything.
I will update the list if I find anything conclusive about this bug.
Thanks,
Siddhartha
On 6/5/10 7:00 AM, "Indexer" indexer@internode.on.net wrote:
Recently, i have hit a rather unique, and annoying, error with ldap. it seems that using pam with ldap, allows *any* password as valid. Im not really sure what i have done here, and any help would be apprecitaed. find my /etc/ldap.conf attached, as well as pam.d/ssh
etc/ldap.conf
base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.chocolate.lan ldap_version 3 scope sub timelimit 3 bind_timelimit 3 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_groupdn cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan pam_member_attribute memberUid pam_password clear pam_password exop nss_base_passwd ou=Users,dc=chocolate,dc=lan?sub nss_base_shadow ou=Users,dc=chocolate,dc=lan?sub nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?sub ssl on ssl start_tls tls_cacert /usr/local/etc/openldap/keys/cacert.crt
tls_checkpeer no
pam.d/sshd
auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass auth sufficient pam_unix.so no_warn try_first_pass
account required pam_nologin.so account required pam_login_access.so account optional pam_unix.so account optional /usr/local/lib/pam_ldap.so
session required pam_permit.so session optional /usr/local/lib/pam_ldap.so
password sufficient /usr/local/lib/pam_ldap.so no_warn use_athtok use_first_pass password sufficient pam_unix.so no_warn try_first_pass