0

My question is similar to this. I use pam_ldap for users auth. /etc/nsswitch.conf file contains:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

All seems to be OK, but I need to hide password hashes of LDAP users in getent passwd output.

  1. I have read man 5 pam_ldap and didn't find any useful parameter for /etc/ldap.conf file.
  2. I read about sssd, nslcd and find enumerate option. It useful but I don't want install any of these services for now.

Is it possible to hide password hashes if I use pam_ldap?

Example of user tester:

dn: cn=tester,ou=users,dc=example,dc=org
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
objectClass: top
objectClass: posixAccount
cn: tester
gidNumber: 10000
homeDirectory: /home/tester
sn: Tester
uid: tester
uidNumber: 10000
loginShell: /bin/bash
userPassword: {CRYPT}$1$......

My openldap access configuration:

access to attrs=userPassword
        by self write
        by anonymous auth
        by users none

access to * by * read

My pam_ldap configuration:

uri     ldap://my_host
base    dc=example,dc=org
binddn  cn=admin,dc=example,dc=org
bindpw  myPass
ldap_version    3
port    389
scope   one
timelimit       30
bind_timelimit  10
bind_policy     soft
nss_connect_policy      persist
idle_timelimit  3600
nss_paged_results       yes
pagesize        1000
pam_filter      objectclass=posixAccount
pam_login_attribute     uid
pam_lookup_policy       yes
pam_password    md5
nss_initgroups_ignoreusers      root
nss_schema      rfc2307bis
nss_base_passwd ou=users,dc=example,dc=org?one
nss_base_shadow ou=users,dc=example,dc=org?one
nss_base_group  ou=groups,dc=example,dc=org?sub
ssl     no
TLS_REQCERT     allow
Yurij Goncharuk
  • 4,177
  • 2
  • 19
  • 36
  • I don't think that pam_ldap is responsible for this, but your LDAP setup. Can you post all `objectClass` of a sample user? My first guess would be that they don't have `objectClass: shadowAccount`. – stefan0xC Mar 27 '20 at 05:25
  • Also you might want to check your [access directive](https://www.openldap.org/doc/admin24/access-control.html) if non-root users can see the password. – stefan0xC Mar 27 '20 at 05:29
  • @Stefan I've just add additional information. Yes, user account don't have `objectClass: shadowAccount`. – Yurij Goncharuk Mar 27 '20 at 08:55
  • What's your [pam_password](https://linux.die.net/man/5/pam_ldap) setting? With the `clear` and `exop` protocols the password should not be hashed on the client but rather send to the ldap server, with `crypt` the password is hashed locally. However, this settings affects only passwords that have been changed. – stefan0xC Mar 27 '20 at 15:56
  • @Stefan I've just added ldap_conf. – Yurij Goncharuk Mar 30 '20 at 12:46

1 Answers1

0

Do not use ldap for the shadow map. This is not needed at all because even the old pam_ldap can check the user's password via LDAP simple bind request and thus does not need to have read access to a password hash.

Also consider to use sssd or nss-pam-ldapd (also known as nslcd) because these decouple the LDAP connections from the processes using the PAM stack.

Michael Ströder
  • 667
  • 3
  • 8