PAM_LDAP with openLDAP server

Hi,

I’m trying to manage accounts lock with PAM_LDAP and openLDAP server. To do this i’m using the ppolicy module and pwdAccountLockedTime parameter

With ldapsearch it’s works fine:

  • Bind with userId
  • openLDAP refuses the bind with “invalidCredential” message as expected

user@linux-65by:~> ldapsearch -v -x -H ldap://SERVER-LDAP -b 'ou=people,dc=test' -D 'uid=toto,ou=people,dc=test' -W
ldap_initialize( ldap://192.168.116.100:389/??base )
Enter LDAP Password:
**ldap_bind: Invalid credentials (49)**

But with PAM_LDAP it doesn’t work, the user can log in because when i check logs and tcpdump, i can see that:

  1. PAM_LDAP bind anonymously (or with a service account)
  2. PAM_LDAP perform a search request (uid=toto ) and ask userPassword and openLDAP answers with a Success and the hashed password
  3. PAM_LDAP don’t send any BIND request with the toto user as DN

user@linux-65by:~> su toto
Password:
**toto**@linux-65by:/home/user>

My PAM_LDAP configuration file looks like:


uri ldap://SERVER-LDAP
ldap_version 3
base dc=**test**
nss_schema rfc2307bis
nss_map_attribute **memberUid**
nss_connect_policy persist
ssl no
#TLS_CACERT /etc/security/intermediateCA-bundle.crt
pam_lookup_policy yes
pam_password exop_send_old
bind_policy soft
bind_timelimit 30
timelimit 30
pam_member_attribute **member**

Please note that pam_lockup_policy seems to have no effect (no behaviour change in term of LDAP requests sent)

OpenLDAP OLC configuration (cn=config):

Default ppolicy is defined


dn: olcOverlay={1}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {1}ppolicy
olcPPolicyDefault: **cn=ppolicy,dc=test**
olcPPolicyUseLockout: TRUE
olcPPolicyHashCleartext: TRUE

The default policy configuration


dn: cn=**ppolicy,dc=test**
objectClass: device
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
cn: ppolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
**pwdLockout: TRUE**
**pwdLockoutDuration: 0**
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
pwdCheckModule: check_password.so

And finally, the toto user configuration


dn: uid=toto,ou=people,dc=test
cn: toto
gidNumber: 100
givenName: toto
homeDirectory: /home/toto
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: myname
uid: toto
uidNumber: 1008
userPassword: {ssha}WBq4hoi8lU8lAkKGgdLrQyFwowNVS1RVSA==
**pwdAccountLockedTime: 000001010000Z**

Finally my pam.d files looks like that

common-account:


account    requisite    pam_unix.so    try_first_pass
account    sufficient    pam_localuser.so
**account required        pam_ldap.so     use_first_pass**

common-auth:


auth    required        pam_env.so
auth    sufficient    pam_unix.so    try_first_pass
**auth    sufficient    pam_ldap.so    use_first_pass**

common-session:


session  optional       pam_mkhomedir.so
session required        pam_limits.so
session required        pam_unix.so     try_first_pass
**session optional        pam_ldap.so**
session optional        pam_umask.so
session optional        pam_systemd.so
session optional        pam_env.so

common-password:


**password        required        pam_ldap.so     try_first_pass**