Bug#607366: libpam-ldap: binddn password saved in world visible file

2010-12-17 Thread Rafael Cunha de Almeida 
Package: libpam-ldap
Version: 184-8.5
Severity: normal

I used debconf to configure this package and, after telling it binddn would be
needed, the password got saved in /etc/pam_ldap.conf file, which is world
readable by default. The only way to access our ldap database is authenticating
with binddn. If I change permission of pam_ldap.conf to 600 it doesn't work
either.

Perhaps it's a missunderstanding of my part. Is that password meant to be public
like that? It strikes me as strange, however I couldn't find much info on the
package, I'm not sure even who's the upstream. By reading
/usr/share/doc/libpam-ldap/README.gz I think it's http://www.padl.com. So I
suggest you add the Homepage control field to your package. Anyhow, I couldn't
find much information regarding my concerns there.


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-ldap depends on:
ii  debconf [debconf-2.0] 1.5.36 Debian configuration management sy
ii  libc6 2.11.2-7   Embedded GNU C Library: Shared lib
ii  libldap-2.4-2 2.4.23-7   OpenLDAP libraries
ii  libpam-runtime1.1.1-6.1  Runtime support for the PAM librar
ii  libpam0g  1.1.1-6.1  Pluggable Authentication Modules l

libpam-ldap recommends no packages.

Versions of packages libpam-ldap suggests:
ii  libnss-ldap   264-2.2NSS module for using LDAP as a nam

-- debconf information:
* shared/ldapns/base-dn: dc=,dc=xx
  libpam-ldap/override: true
* shared/ldapns/ldap_version: 3
* libpam-ldap/dblogin: true
* shared/ldapns/ldap-server: ldap://undisclosed/
* libpam-ldap/pam_password: crypt
* libpam-ldap/binddn: cn=xxx,ou=xxx,dc=,dc=xx
* libpam-ldap/rootbinddn: cn=manager,dc=example,dc=net
* libpam-ldap/dbrootlogin: false



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#607366: libpam-ldap: binddn password saved in world visible file

2010-12-17 Thread Arthur de Jong 
On Fri, 2010-12-17 at 11:50 -0200, Rafael Cunha de Almeida wrote:
 I used debconf to configure this package and, after telling it binddn
 would be needed, the password got saved in /etc/pam_ldap.conf file,
 which is world readable by default. The only way to access our ldap
 database is authenticating with binddn. If I change permission of
 pam_ldap.conf to 600 it doesn't work either.

Since PAM modules may not always run as root the LDAP configuration
needs should be world readable in many configurations. For most logins
setting it to 600 should work though.

Alternatively, you could give libpam-ldapd a try. It uses a separate
local daemon (nslcd) to handle the connection to the LDAP server. The
configuration file is not world readable by default. The daemon also
provides NSS functionality (use libnss-ldapd for that).

The libpam-ldapd package should provide most functionality that
libpam-ldap also provides. The most notable exception is that only one
password changing mechanism is currently supported.

 I couldn't find much info on the package, I'm not sure even who's the
 upstream. By reading /usr/share/doc/libpam-ldap/README.gz I think it's
 http://www.padl.com. So I suggest you add the Homepage control field
 to your package. Anyhow, I couldn't find much information regarding my
 concerns there.

That is indeed the upstream for this package. Since a lot of these
things depend on details of the configuration information is a bit
scattered. You could have a look at http://wiki.debian.org/LDAP though.

Hope this helps.

-- 
-- arthur - adej...@debian.org - http://people.debian.org/~adejong --


signature.asc
Description: This is a digitally signed message part