Pam Pass Through - Multiple issues in setup/config #5521
Assignees
Labels
needs triage
The issue will be triaged during scrum
Comments
Firstyear
added a commit
to Firstyear/389-ds-base
that referenced
this issue
Dec 6, 2022
Bug Description: Pam PTA and the lib389 cli had numerous issues that were affecting administration and configuration. Fix Description: This fixes many issues: * add pam-[enable,disable,show] seperate to pta enable. We can't combine these into one because they are seperate plugins. They also still needs ways to enable them outside of the direct config attribute manipulation. * Make pamMissingSuffix return a default of IGNORE on NONE. This is because many of the current tools don't actually set this value and it can block server restarts. * pamSecure would not warn properly on lack of TLS connections which can trick users into thinking the plugin is not working. fixes: 389ds#5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
to Firstyear/389-ds-base
that referenced
this issue
Dec 6, 2022
Bug Description: The pass through auth cli previously was a "merge" of both ldap pass through and pam pass through. These two do not share any commonality, and actually conflict on each other. This caused a lot of confusion, especially in documentation where it wasn't clear how to use either feature as a result. Fix Description: Split the cli into two seperate plugins with their own config domains. This clarifies the situation for users, and makes it far easier to configure the various pass through layers. fixes: 389ds#5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: Pam PTA and the lib389 cli had numerous issues that were affecting administration and configuration. Fix Description: This fixes many issues: * add pam-[enable,disable,show] seperate to pta enable. We can't combine these into one because they are seperate plugins. They also still needs ways to enable them outside of the direct config attribute manipulation. * Make pamMissingSuffix return a default of IGNORE on NONE. This is because many of the current tools don't actually set this value and it can block server restarts. * pamSecure would not warn properly on lack of TLS connections which can trick users into thinking the plugin is not working. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: The pass through auth cli previously was a "merge" of both ldap pass through and pam pass through. These two do not share any commonality, and actually conflict on each other. This caused a lot of confusion, especially in documentation where it wasn't clear how to use either feature as a result. Fix Description: Split the cli into two seperate plugins with their own config domains. This clarifies the situation for users, and makes it far easier to configure the various pass through layers. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: Pam PTA and the lib389 cli had numerous issues that were affecting administration and configuration. Fix Description: This fixes many issues: * add pam-[enable,disable,show] seperate to pta enable. We can't combine these into one because they are seperate plugins. They also still needs ways to enable them outside of the direct config attribute manipulation. * Make pamMissingSuffix return a default of IGNORE on NONE. This is because many of the current tools don't actually set this value and it can block server restarts. * pamSecure would not warn properly on lack of TLS connections which can trick users into thinking the plugin is not working. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: The pass through auth cli previously was a "merge" of both ldap pass through and pam pass through. These two do not share any commonality, and actually conflict on each other. This caused a lot of confusion, especially in documentation where it wasn't clear how to use either feature as a result. Fix Description: Split the cli into two seperate plugins with their own config domains. This clarifies the situation for users, and makes it far easier to configure the various pass through layers. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: Pam PTA and the lib389 cli had numerous issues that were affecting administration and configuration. Fix Description: This fixes many issues: * add pam-[enable,disable,show] seperate to pta enable. We can't combine these into one because they are seperate plugins. They also still needs ways to enable them outside of the direct config attribute manipulation. * Make pamMissingSuffix return a default of IGNORE on NONE. This is because many of the current tools don't actually set this value and it can block server restarts. * pamSecure would not warn properly on lack of TLS connections which can trick users into thinking the plugin is not working. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: The pass through auth cli previously was a "merge" of both ldap pass through and pam pass through. These two do not share any commonality, and actually conflict on each other. This caused a lot of confusion, especially in documentation where it wasn't clear how to use either feature as a result. Fix Description: Split the cli into two seperate plugins with their own config domains. This clarifies the situation for users, and makes it far easier to configure the various pass through layers. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: Pam PTA and the lib389 cli had numerous issues that were affecting administration and configuration. Fix Description: This fixes many issues: * add pam-[enable,disable,show] seperate to pta enable. We can't combine these into one because they are seperate plugins. They also still needs ways to enable them outside of the direct config attribute manipulation. * Make pamMissingSuffix return a default of IGNORE on NONE. This is because many of the current tools don't actually set this value and it can block server restarts. * pamSecure would not warn properly on lack of TLS connections which can trick users into thinking the plugin is not working. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: The pass through auth cli previously was a "merge" of both ldap pass through and pam pass through. These two do not share any commonality, and actually conflict on each other. This caused a lot of confusion, especially in documentation where it wasn't clear how to use either feature as a result. Fix Description: Split the cli into two seperate plugins with their own config domains. This clarifies the situation for users, and makes it far easier to configure the various pass through layers. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: Pam PTA and the lib389 cli had numerous issues that were affecting administration and configuration. Fix Description: This fixes many issues: * add pam-[enable,disable,show] seperate to pta enable. We can't combine these into one because they are seperate plugins. They also still needs ways to enable them outside of the direct config attribute manipulation. * Make pamMissingSuffix return a default of IGNORE on NONE. This is because many of the current tools don't actually set this value and it can block server restarts. * pamSecure would not warn properly on lack of TLS connections which can trick users into thinking the plugin is not working. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: The pass through auth cli previously was a "merge" of both ldap pass through and pam pass through. These two do not share any commonality, and actually conflict on each other. This caused a lot of confusion, especially in documentation where it wasn't clear how to use either feature as a result. Fix Description: Split the cli into two seperate plugins with their own config domains. This clarifies the situation for users, and makes it far easier to configure the various pass through layers. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: Pam PTA and the lib389 cli had numerous issues that were affecting administration and configuration. Fix Description: This fixes many issues: * add pam-[enable,disable,show] seperate to pta enable. We can't combine these into one because they are seperate plugins. They also still needs ways to enable them outside of the direct config attribute manipulation. * Make pamMissingSuffix return a default of IGNORE on NONE. This is because many of the current tools don't actually set this value and it can block server restarts. * pamSecure would not warn properly on lack of TLS connections which can trick users into thinking the plugin is not working. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this issue
Dec 6, 2022
Bug Description: The pass through auth cli previously was a "merge" of both ldap pass through and pam pass through. These two do not share any commonality, and actually conflict on each other. This caused a lot of confusion, especially in documentation where it wasn't clear how to use either feature as a result. Fix Description: Split the cli into two seperate plugins with their own config domains. This clarifies the situation for users, and makes it far easier to configure the various pass through layers. fixes: #5521 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!)
mreynolds389
added a commit
to mreynolds389/389-ds-base
that referenced
this issue
Jan 5, 2023
… auth Description: Previously PAM and LDAP pass thru auth plugins were merged. This change separates them into their own plugins in the UI. Also improved memory reporting in monitor tab. relates: 389ds#5521 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
Jan 5, 2023
… auth Description: Previously PAM and LDAP pass thru auth plugins were merged. This change separates them into their own plugins in the UI. Also improved memory reporting in monitor tab. relates: #5521 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
Jan 5, 2023
… auth Description: Previously PAM and LDAP pass thru auth plugins were merged. This change separates them into their own plugins in the UI. Also improved memory reporting in monitor tab. relates: #5521 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
Jan 5, 2023
… auth Description: Previously PAM and LDAP pass thru auth plugins were merged. This change separates them into their own plugins in the UI. Also improved memory reporting in monitor tab. relates: #5521 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
Jan 5, 2023
… auth Description: Previously PAM and LDAP pass thru auth plugins were merged. This change separates them into their own plugins in the UI. Also improved memory reporting in monitor tab. relates: #5521 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
Jan 5, 2023
… auth Description: Previously PAM and LDAP pass thru auth plugins were merged. This change separates them into their own plugins in the UI. Also improved memory reporting in monitor tab. relates: #5521 Reviewed by: spichugi(Thanks!)
lab-at-nohl
pushed a commit
to lab-at-nohl/cockpit-389-ds-containerproxy
that referenced
this issue
May 9, 2024
… auth Description: Previously PAM and LDAP pass thru auth plugins were merged. This change separates them into their own plugins in the UI. Also improved memory reporting in monitor tab. relates: 389ds/389-ds-base#5521 Reviewed by: spichugi(Thanks!)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Setting up Pam Pass Through in it's current form is extremely rocky as a setup process.
-- rh docs list wrong plugin name.
PAM Pass-Through Auth Plugin
PAM Pass Through Auth
-- dsconf enables the wrong plugin
dsconf localhost plugin pass-through-auth enable
Enables dn: cn=Pass Through Authentication,cn=plugins,cn=config not cn=PAM Pass Through Auth,cn=plugins,cn=config
-- pamMissingSuffix requires a value by default, will be accepted during run time and cause server to fail to start
[11/Nov/2022:11:50:21.048486118 +1000] - ERR - pam_passthru-plugin - pam_passthru_validate_config - Valid values for pamMissingSuffix are ERROR, ALLOW, IGNORE
-- pamSecure when required only emits a plugin trace warn not an error.
[11/Nov/2022:13:35:40.318908742 +1000] - DEBUG - pam_passthru-plugin - pam_passthru_bindpreop - Connection not secure (secure connection required; check config)
The text was updated successfully, but these errors were encountered: