Project

General

Profile

Bug #4151

ldapclient allows expired user accounts to log in when enableShadowUpdate is not true

Added by Lauri Tirkkonen about 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2013-09-20
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

If ldapclient is not configured with enableShadowUpdate=true, pam_ldap account module will apparently not check shadowExpire upon login and thus allow expired accounts access.

Can be reproduced using the following user (note that shadowExpire is in the past) and ldap configuration:

# ldaplist -l passwd testuser
dn: uid=testuser,ou=People,dc=niksula,dc=hut,dc=fi
        uid: testuser
        cn: Veijo Testi
        objectClass: account
        objectClass: posixAccount
        objectClass: top
        objectClass: shadowAccount
        shadowWarning: 25
        shadowExpire: 15614
        loginShell: /bin/tcsh
        shadowInactive: 0
        shadowMax: 180
        gidNumber: 500
        uidNumber: 10229
        homeDirectory: /home/testuser
        shadowLastChange: 15968
        shadowFlag: 0
        gecos: Veijo Testi
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
#(NS_LDAP_BINDDN and NS_LDAP_BINDPASSWD edited out)
NS_LDAP_SERVERS= ldap1.niksula.hut.fi, ldap2.niksula.hut.fi
NS_LDAP_SEARCH_BASEDN= dc=niksula,dc=hut,dc=fi
NS_LDAP_AUTH= tls:simple
NS_LDAP_CACHETTL= 43200
NS_LDAP_ATTRIBUTEMAP= shadow:shadowexpire=shadowExpire
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn

After enabling shadow update it works as it should (admin DN and password must be set to configure it thus, but need not be valid if the shadow attributes in question are readable to the proxyDN user)

[ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[17] while authorizing: User account has expired

Also available in: Atom PDF