LDAP session created with no password required
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| nss-pam-ldapd (Ubuntu) |
Confirmed
|
Medium
|
Unassigned | ||
Bug Description
I've been working on getting a small lab up and running on Ubuntu 10.10 using LDAP authentication. I'm using the stock versions found in the repos (e.g. nslcd v.0.7.6) an I've run in to an interesting problem: ldap users can get a session on the machine without a password. That is, if a user exists in LDAP they can log in to the machine by hitting the return key when asked for a password; this does not work for local users, nor can you make up an ID and expect it to work. BTW, if you give it a wrong password, you can't get a session (as in you get an "LDAP authentication failed" message).
What I expected to happen: try to log in to a machine using LDAP authentication and get stopped when I provide bad credentials (e.g. good username, bad - or no - password).
What happened: on a lightly configured machine I can log in using a good username from LDAP and *no* password.
Security implications: if "user A" tries to log in with LDAP id "user B", "user A" can access all of the data stored on the local machine by "user B" - and they don't need a password to do it.
I can reliably replicate this problem (and have done at least 10 times in a VM):
1) apt-get install nslcd (libpam-ldapd, libnss-ldapd and nscd are dependencies, so they get installed as well)
2) during configuration, provide debconf with basic info about our LDAP setup (in my case connect to a SunLDAP server).
3) add config info to nslcd.conf to allow connections (in my case it needs a specific certificate, so I add tls_cacertfile /path/to/
The nsswitch.conf and nscd.conf files don't need to be edited at all, and the debconf configuration done by Ubuntu seems to be good enough to allow connections.
At this point I restart the machine and try to log in as an LDAP user. When asked for a password I hit [enter] and I get a session. This user has never used the machine before and is not a duplicate of a local username. The uid of the LDAP user is correct (that is, the uid is passed to the local machine by the LDAP server and is not locally assigned.)
As the LDAP user, I can su to any other LDAP ID without a password (just hit [enter] when asked for a password). I *cannot* su to a local user.
I've been in touch with the nslcd developer via the nss-pam-ldapd-users list (thread here: http://
It *appears* that newer releases (likely 0.7.7+) fix my problem. Is there any way to address this problem in Maverick?
| visibility: | private → public |
| Changed in nss-pam-ldapd (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
