Hi,
I’m trying to manage accounts lock with PAM_LDAP and openLDAP server. To do this i’m using the ppolicy module and pwdAccountLockedTime parameter
With ldapsearch it’s works fine:
- Bind with userId
- openLDAP refuses the bind with “invalidCredential” message as expected
user@linux-65by:~> ldapsearch -v -x -H ldap://SERVER-LDAP -b 'ou=people,dc=test' -D 'uid=toto,ou=people,dc=test' -W
ldap_initialize( ldap://192.168.116.100:389/??base )
Enter LDAP Password:
**ldap_bind: Invalid credentials (49)**
But with PAM_LDAP it doesn’t work, the user can log in because when i check logs and tcpdump, i can see that:
- PAM_LDAP bind anonymously (or with a service account)
- PAM_LDAP perform a search request (uid=toto ) and ask userPassword and openLDAP answers with a Success and the hashed password
- PAM_LDAP don’t send any BIND request with the toto user as DN
user@linux-65by:~> su toto
Password:
**toto**@linux-65by:/home/user>
My PAM_LDAP configuration file looks like:
uri ldap://SERVER-LDAP
ldap_version 3
base dc=**test**
nss_schema rfc2307bis
nss_map_attribute **memberUid**
nss_connect_policy persist
ssl no
#TLS_CACERT /etc/security/intermediateCA-bundle.crt
pam_lookup_policy yes
pam_password exop_send_old
bind_policy soft
bind_timelimit 30
timelimit 30
pam_member_attribute **member**
Please note that pam_lockup_policy seems to have no effect (no behaviour change in term of LDAP requests sent)
OpenLDAP OLC configuration (cn=config):
Default ppolicy is defined
dn: olcOverlay={1}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {1}ppolicy
olcPPolicyDefault: **cn=ppolicy,dc=test**
olcPPolicyUseLockout: TRUE
olcPPolicyHashCleartext: TRUE
The default policy configuration
dn: cn=**ppolicy,dc=test**
objectClass: device
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
cn: ppolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
**pwdLockout: TRUE**
**pwdLockoutDuration: 0**
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
pwdCheckModule: check_password.so
And finally, the toto user configuration
dn: uid=toto,ou=people,dc=test
cn: toto
gidNumber: 100
givenName: toto
homeDirectory: /home/toto
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: myname
uid: toto
uidNumber: 1008
userPassword: {ssha}WBq4hoi8lU8lAkKGgdLrQyFwowNVS1RVSA==
**pwdAccountLockedTime: 000001010000Z**
Finally my pam.d files looks like that
common-account:
account requisite pam_unix.so try_first_pass
account sufficient pam_localuser.so
**account required pam_ldap.so use_first_pass**
common-auth:
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
**auth sufficient pam_ldap.so use_first_pass**
common-session:
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix.so try_first_pass
**session optional pam_ldap.so**
session optional pam_umask.so
session optional pam_systemd.so
session optional pam_env.so
common-password:
**password required pam_ldap.so try_first_pass**