https://bugzilla.redhat.com/show_bug.cgi?id=863415 (Red Hat Enterprise Linux 6)
Description of problem: PAM passthrough plugin now accepts even incorrect values for soome attributes in configuration entry, namely pamIDMapMethod, pamMissingSuffix and pamService. Invalid values can be passed to pamIDMapMethod (should allow only RDN DN ENTRY) and pamMissingSuffix (should allow only ALLOW IGNORE ERROR), while pamService accepts empty value. Version-Release number of selected component (if applicable): 389-ds-base-1.2.10.2-15.el6.x86_64 How reproducible: always Steps to Reproduce: ldapmodify .. <<EOF dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace: pamIDMapMethod pamIDMapMethod: invalid - replace: pamMissingSuffix pamMissingSuffix: invalid - replace: pamService pamService: EOF Actual results: ldapmodify succeeds Expected results: Should fail with ldap_modify: Invalid syntax (return code 21) Additional info: other attributes do not permit incorrect values and fail with RC 21, e.g. pamFallback or pamExcludeSuffix
It is looking like the bug is already fixed in 1.2.11.17-1.fc17 After creating a dedicated suffix and enabling the PAM plugin.
'''Test of pamMissingSuffix'''
ldapmodify -h localhost -p 9577 -D "cn=directory manager" -w secret12 dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace: pamMissingSuffix pamMissingSuffix: invalid
modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Error: valid values for pamMissingSuffix are PAMPT_MISSING_SUFFIX_ERROR, PAMPT_MISSING_SUFFIX_ALLOW, PAMPT_MISSING_SUFFIX_IGNORE
The Error returned seems good to me (unwilling to perform) rather than syntax error. The only issue is that it displays internal code macros rather than the user values ERROR, ALLOW or IGNORE
'''Test of pamIDMapMethod'''
ldapmodify -h localhost -p 9577 -D "cn=directory manager" -w secret12 dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace: pamIDMapMethod pamIDMapMethod: invalid
modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: The map method in the string [invalid] is invalid: must be one of DN or RDN or ENTRY
The Error returned seems good to me (unwilling to perform) rather than syntax error. Displayed values are correct.
'''Test of pamService'''
ldapmodify -h localhost -p 9577 -D "cn=directory manager" -w secret12 dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace: pamService pamService:
modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config"
This change is applied and I think it is correct. In fact, pamService defines a file name under /etc/pam.d and if the file does not exist, the policy for the service will be taken from /etc/pam.conf. So if pamService is empty, DS will use /etc/pam.conf that is legal.
I need to confirm that most part of the bug is already fixed (unless display user value rather that internal macros), and when it occurred.
Yes, I believe err=53 is correct as noted by Thierry. Error 21 is for violations of LDAP syntaxes. The syntaxes used by these 3 attributes are as follows:
pamMissingSuffix - Directory String (1 or more UTF8 characters) pamIDMapMethod - Directory String (1 or more UTF8 characters) pamService - IA5 String (0 or more characters from the ASCII IA5 alphabet)
The tested values do not violate the LDAP syntaxes, so returning err=21 is not appropriate. The tested values for pamMissingSuffix and pamIDMapMethod are invalid from the viewpoint of the PAM passthrough plug-in though, which is why the plug-in does further validation and returns err=53 and a useful message as appropriate.
Replying to [comment:6 tbordaz]:
'''Test of pamMissingSuffix''' ldapmodify -h localhost -p 9577 -D "cn=directory manager" -w secret12 dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace: pamMissingSuffix pamMissingSuffix: invalid modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Error: valid values for pamMissingSuffix are PAMPT_MISSING_SUFFIX_ERROR, PAMPT_MISSING_SUFFIX_ALLOW, PAMPT_MISSING_SUFFIX_IGNORE The Error returned seems good to me (unwilling to perform) rather than syntax error. The only issue is that it displays internal code macros rather than the user values ERROR, ALLOW or IGNORE
Yes, we should fix the error message to not display the macros. I think everything else is working as designed.
ticket 487 patch file 0001-Ticket-487-Possible-to-add-invalid-attribute-values-.patch
ack
fix push to master
[tbordaz@pctbordaz ds]$ git merge ticket487 Updating 0219577..ca06547 Fast-forward ldap/servers/plugins/pam_passthru/pam_ptconfig.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
[tbordaz@pctbordaz ds]$ git push origin master Enter passphrase for key '/home/tbordaz/.ssh/id_rsa_fedora': Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.18 KiB, done. Total 7 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 0219577..ca06547 master -> master
commit ca06547 Author: Thierry bordaz (tbordaz) tbordaz@redhat.com Date: Thu Jan 24 16:17:32 2013 +0100
Metadata Update from @tbordaz: - Issue assigned to tbordaz - Issue set to the milestone: 1.3.1
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/487
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.