Bug #4151
ldapclient allows expired user accounts to log in when enableShadowUpdate is not true
Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2013-09-20
Due date:
% Done:
0%
Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
Description
If ldapclient is not configured with enableShadowUpdate=true, pam_ldap account module will apparently not check shadowExpire upon login and thus allow expired accounts access.
Can be reproduced using the following user (note that shadowExpire is in the past) and ldap configuration:
# ldaplist -l passwd testuser
dn: uid=testuser,ou=People,dc=niksula,dc=hut,dc=fi
uid: testuser
cn: Veijo Testi
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowWarning: 25
shadowExpire: 15614
loginShell: /bin/tcsh
shadowInactive: 0
shadowMax: 180
gidNumber: 500
uidNumber: 10229
homeDirectory: /home/testuser
shadowLastChange: 15968
shadowFlag: 0
gecos: Veijo Testi
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
#(NS_LDAP_BINDDN and NS_LDAP_BINDPASSWD edited out)
NS_LDAP_SERVERS= ldap1.niksula.hut.fi, ldap2.niksula.hut.fi
NS_LDAP_SEARCH_BASEDN= dc=niksula,dc=hut,dc=fi
NS_LDAP_AUTH= tls:simple
NS_LDAP_CACHETTL= 43200
NS_LDAP_ATTRIBUTEMAP= shadow:shadowexpire=shadowExpire
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
After enabling shadow update it works as it should (admin DN and password must be set to configure it thus, but need not be valid if the shadow attributes in question are readable to the proxyDN user)
[ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[17] while authorizing: User account has expired