Openldap Not Obeying pam_check_host_attr Restriction in pam_ldap.conf and Incorrectly Allows Access to All Hosts

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • OpenLDAP

Issue

Openldap is not obeying the pam_check_host_attr yes option in /etc/pam_ldap.conf and is allowing users to log into hosts they should not have access to:

[root@server1 ~]# cat /etc/pam_ldap.conf 
uri ldap://server1.example.com/ ldap://server1.example.com/
base dc=example,dc=com
tls_cacertdir /etc/openldap/cacerts
pam_check_host_attr yes
binddn cn=binduser,dc=example,dc=com
...

When a user logs in without the proper host attribute, they may receive an error message saying they do not have access to the machine, but still are allowed to login. Without the proper host attribute, they should not be able to login.

Resolution

Make sure /etc/nsswitch.conf does not contain ldap in the shadow entry. If so, remove it:

[root@server1 ~]# cat /etc/nsswitch.conf
passwd:     files ldap
group:      files ldap
shadow:     files
...

Root Cause

Having ldap on the shadow: entry of /etc/nsswitch.conf may cause host-based authentication to always succeed:

[root@server1 ~]# cat /etc/nsswitch.conf
passwd:     files ldap
group:      files ldap
shadow:     files ldap
...

If there is a local account with the same username as the LDAP account, pam_unix.so ends up providing a valid "account" via the Name Service Switch (NSS), which overrides your LDAP configuration.

Diagnostic Steps

1) Check valid host restrictions are specified in LDAP accounts:

[root@server1 ~]# ldapsearch -b uid=user001,ou=People,dc=example,dc=com -LLL -H ldap://server1.example.com/ -D cn=binduser,dc=example,dc=com -W
Enter LDAP Password:
dn: uid=user001,ou=People,dc=example,dc=com
uid: user001
cn: User 001
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 1024
gidNumber: 1024
homeDirectory: /home/user001
gecos: User 001
host: server2.example.com      <----- user001 should only be able to access server2.example.com

For more information on using the pam_check_host_attr option, see the following article: When using LDAP authentication, how can user access be restricted on the basis of host names?

2) Notice that LDAP users who are incorrectly allowed access to restricted machines may also exist on the local machine:

[root@server1 ~]# grep user001 /etc/shadow
user001:$6$PCSQh6Q4B7H2zkZ2$PpiAkwWEomXqWWy3tdBYVC.aCh9e2.gRrPJfqJjXMD1shi.SGi5hCvD6SWFyKM0uBUEqCrP5HAEGYQhc50/4D1:17123:0:99999:7:::

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments