Issue 5521 - BUG - Pam PTA multiple issues

Bug Description: Pam PTA and the lib389 cli had numerous issues that were affecting administration and configuration. Fix Description: This fixes many issues: * add pam-[enable,disable,show] seperate to pta enable. We can't combine these into one because they are seperate plugins. They also still needs ways to enable them outside of the direct config attribute manipulation. * Make pamMissingSuffix return a default of IGNORE on NONE. This is because many of the current tools don't actually set this value and it can block server restarts. * pamSecure would not warn properly on lack of TLS connections which can trick users into thinking the plugin is not working. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
389ds · Dec 6, 2022 · 6576bd5 · 6576bd5
1 parent 124dd4d
commit 6576bd5
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 26 deletions.
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptconfig.c b/ldap/servers/plugins/pam_passthru/pam_ptconfig.c
@@ -195,12 +195,12 @@ static int
 missing_suffix_to_int(char *missing_suffix)
 {
     int retval = -1; /* -1 is error */
-    if (!PL_strcasecmp(missing_suffix, PAMPT_MISSING_SUFFIX_ERROR_STRING)) {
-        retval = PAMPT_MISSING_SUFFIX_ERROR;
+    if (missing_suffix == NULL || !PL_strcasecmp(missing_suffix, PAMPT_MISSING_SUFFIX_IGNORE_STRING)) {
+        retval = PAMPT_MISSING_SUFFIX_IGNORE;
     } else if (!PL_strcasecmp(missing_suffix, PAMPT_MISSING_SUFFIX_ALLOW_STRING)) {
         retval = PAMPT_MISSING_SUFFIX_ALLOW;
-    } else if (!PL_strcasecmp(missing_suffix, PAMPT_MISSING_SUFFIX_IGNORE_STRING)) {
-        retval = PAMPT_MISSING_SUFFIX_IGNORE;
+    } else if (!PL_strcasecmp(missing_suffix, PAMPT_MISSING_SUFFIX_ERROR_STRING)) {
+        retval = PAMPT_MISSING_SUFFIX_ERROR;
     }
 
     return retval;

diff --git a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
@@ -462,8 +462,8 @@ pam_passthru_bindpreop(Slapi_PBlock *pb)
         int is_ssl = 0;
         slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl);
         if (!is_ssl) {
-            slapi_log_err(SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
-                          "pam_passthru_bindpreop - Connection not secure (secure connection required; check config)\n");
+            slapi_log_err(SLAPI_LOG_WARNING, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
+                          "pam_passthru_bindpreop - Client connection not secure and pamSecure is true (missing LDAPS)\n");
             goto done;
         }
     }

diff --git a/src/lib389/lib389/cli_conf/plugins/passthroughauth.py b/src/lib389/lib389/cli_conf/plugins/passthroughauth.py
@@ -11,7 +11,7 @@
 from lib389.plugins import (PassThroughAuthenticationPlugin, PAMPassThroughAuthPlugin,
                             PAMPassThroughAuthConfigs, PAMPassThroughAuthConfig)
 
-from lib389.cli_conf import add_generic_plugin_parsers, generic_object_edit, generic_object_add
+from lib389.cli_conf import add_generic_plugin_parsers, generic_object_edit, generic_object_add, generic_show, generic_enable, generic_disable, generic_status
 
 arg_to_attr_pam = {
     'exclude_suffix': 'pamExcludeSuffix',
@@ -234,8 +234,9 @@ def _add_parser_args_pam(parser):
 def create_parser(subparsers):
     passthroughauth_parser = subparsers.add_parser('pass-through-auth',
                                                    help='Manage and configure Pass-Through Authentication plugins '
-                                                        '(URLs and PAM)')
+                                                        '(LDAP URLs and PAM)')
     subcommands = passthroughauth_parser.add_subparsers(help='action')
+
     add_generic_plugin_parsers(subcommands, PassThroughAuthenticationPlugin)
 
     enable = subcommands.add_parser('enable', help='Enable the pass through authentication plugins')
@@ -244,14 +245,14 @@ def create_parser(subparsers):
     disable = subcommands.add_parser('disable', help='Disable the pass through authentication plugins')
     disable.set_defaults(func=disable_plugins)
 
-    list = subcommands.add_parser('list', help='List pass-though plugin URLs or PAM configurations')
+    list = subcommands.add_parser('list', help='List pass-though plugin LDAP URLs or PAM configurations')
     subcommands_list = list.add_subparsers(help='action')
-    list_urls = subcommands_list.add_parser('urls', help='Lists URLs')
+    list_urls = subcommands_list.add_parser('urls', help='Lists LDAP URLs')
     list_urls.set_defaults(func=pta_list)
     list_pam = subcommands_list.add_parser('pam-configs', help='Lists PAM configurations')
     list_pam.set_defaults(func=pam_pta_list)
 
-    url = subcommands.add_parser('url', help='Manage PTA URL configurations')
+    url = subcommands.add_parser('url', help='Manage PTA LDAP URL configurations')
     subcommands_url = url.add_subparsers(help='action')
 
     add_url = subcommands_url.add_parser('add', help='Add the config entry')
@@ -273,6 +274,19 @@ def create_parser(subparsers):
     delete_url.add_argument('URL', help='The full LDAP URL you get from the "list" command')
     delete_url.set_defaults(func=pta_del)
 
+    # Pam PTA and PTA are not the same plugin! We need to enable and control them seperately!
+    show_parser = subcommands.add_parser('pam-show', help='Displays the plugin configuration')
+    show_parser.set_defaults(func=generic_show, plugin_cls=PAMPassThroughAuthPlugin)
+
+    enable_parser = subcommands.add_parser('pam-enable', help='Enables the plugin')
+    enable_parser.set_defaults(func=generic_enable, plugin_cls=PAMPassThroughAuthPlugin)
+
+    disable_parser = subcommands.add_parser('pam-disable', help='Disables the plugin')
+    disable_parser.set_defaults(func=generic_disable, plugin_cls=PAMPassThroughAuthPlugin)
+
+    status_parser = subcommands.add_parser('pam-status', help='Displays the plugin status')
+    status_parser.set_defaults(func=generic_status, plugin_cls=PAMPassThroughAuthPlugin)
+
     pam = subcommands.add_parser('pam-config', help='Manage PAM PTA configurations.')
     pam.add_argument('NAME', help='The PAM PTA configuration name')
     subcommands_pam = pam.add_subparsers(help='action')

diff --git a/src/lib389/lib389/plugins.py b/src/lib389/lib389/plugins.py
@@ -1491,7 +1491,7 @@ def __init__(self, instance, dn="cn=PAM Pass Through Auth,cn=plugins,cn=config")
         super(PAMPassThroughAuthPlugin, self).__init__(instance, dn)
 
 
-class PAMPassThroughAuthConfig(Plugin):
+class PAMPassThroughAuthConfig(DSLdapObject):
     """A single instance of PAM Pass Through Auth config entry
 
     :param instance: An instance
@@ -1500,24 +1500,11 @@ class PAMPassThroughAuthConfig(Plugin):
     :type dn: str
     """
 
-    _plugin_properties = {
-        'cn' : 'USN',
-        'nsslapd-pluginEnabled': 'off',
-        'nsslapd-pluginPath': 'libpam-passthru-plugin',
-        'nsslapd-pluginInitfunc': 'pam_passthruauth_init',
-        'nsslapd-pluginType': 'betxnpreoperation',
-        'nsslapd-plugin-depends-on-type': 'database',
-        'nsslapd-pluginId': 'PAM',
-        'nsslapd-pluginVendor': '389 Project',
-        'nsslapd-pluginVersion': '1.3.7.0',
-        'nsslapd-pluginDescription': 'PAM Pass Through Auth plugin'
-    }
-
     def __init__(self, instance, dn=None):
         super(PAMPassThroughAuthConfig, self).__init__(instance, dn)
         self._rdn_attribute = 'cn'
         self._must_attributes = ['cn']
-        self._create_objectclasses = ['top', 'extensibleObject', 'nsslapdplugin', 'pamConfig']
+        self._create_objectclasses = ['top', 'extensibleObject', 'pamConfig']
         self._protected = False