libnss_ldap

[Andy Rabagliati]

On Wed, 05 Apr 2006, Jerry Haltom wrote:

> If you're using pam_unix to handle LDAP, you probably have a pretty
> badly secured configuration. Means you are exposing shadow passwords
> into each hosts NSS shadow table.
> 
> Those passwords should never leave the LDAP server, and the only way to
> do that is to use pam_ldap or pam_krb5.
> 
> On Wed, 2006-04-05 at 17:47 +0200, Andy Rabagliati wrote:
> > 
> > I do not think libpam-ldap is important - pam_unix has handled ldap for
> > a long time without help.

I am not sure what a "hosts NSS shadow table" is, but this is my setup :-

fresh server install (from edubuntu Flight 5)

aptitude install xubuntu		# looks beautiful, thanks, guys!

aptitude install ldap-utils openssh-server
	[ libldap installed for dependencies ]

I now enable universe repository.

aptitude install libnss-ldap
	[ libpam-ldap nscd installed for dependencies ]

I have an account andyr in /etc/passwd. I configure ubuntu to look at
my LDAP server, where I have a user bill.

/etc/nsswitch.conf edited to have "files ldap" where it used to say "compat".
***no changes to anything in /etc/pam.d/*

bill can log in via ssh, warnings about a missing home directory.

Now, "# dpkg -r libpam-ldap" - and reboot.

%  dpkg -l | grep ^i | grep ldap
ii  ldap-utils                             2.2.26-5ubuntu1                     OpenLDAP utilities
ii  libldap-2.2-7                          2.2.26-5ubuntu1                     OpenLDAP libraries
ii  libldap2                               2.1.30-12ubuntu3                    OpenLDAP libraries
ii  libnss-ldap                            238-1.1ubuntu1                      NSS module for using LDAP as a naming servic

"# grep bill /etc/*" returns nothing.
"# grep ldap /etc/security/*" returns nothing.

User bill can still log in. A debug trace on my ldap server
( /usr/sbin/slapd -d7 ) verifies that ldap is being consulted.

Where is my security snafu ?

Cheers,     Andy!