Actions
Bug #4151
openldapclient allows expired user accounts to log in when enableShadowUpdate is not true
Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2013-09-20
Due date:
% Done:
0%
Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
Description
If ldapclient is not configured with enableShadowUpdate=true, pam_ldap account module will apparently not check shadowExpire upon login and thus allow expired accounts access.
Can be reproduced using the following user (note that shadowExpire is in the past) and ldap configuration:
# ldaplist -l passwd testuser dn: uid=testuser,ou=People,dc=niksula,dc=hut,dc=fi uid: testuser cn: Veijo Testi objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowWarning: 25 shadowExpire: 15614 loginShell: /bin/tcsh shadowInactive: 0 shadowMax: 180 gidNumber: 500 uidNumber: 10229 homeDirectory: /home/testuser shadowLastChange: 15968 shadowFlag: 0 gecos: Veijo Testi # ldapclient list NS_LDAP_FILE_VERSION= 2.0 #(NS_LDAP_BINDDN and NS_LDAP_BINDPASSWD edited out) NS_LDAP_SERVERS= ldap1.niksula.hut.fi, ldap2.niksula.hut.fi NS_LDAP_SEARCH_BASEDN= dc=niksula,dc=hut,dc=fi NS_LDAP_AUTH= tls:simple NS_LDAP_CACHETTL= 43200 NS_LDAP_ATTRIBUTEMAP= shadow:shadowexpire=shadowExpire NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
After enabling shadow update it works as it should (admin DN and password must be set to configure it thus, but need not be valid if the shadow attributes in question are readable to the proxyDN user)
[ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[17] while authorizing: User account has expired
No data to display
Actions