PAM with LDAPS breaks authentication via Policykit to Gnome applications as local administrator

Bug #892480 reported by Dave Koelmeyer on 2011-11-19
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)
Undecided
Unassigned

Bug Description

Hi,

1) Test system

My client is a fresh installation of Ubuntu 10.04 LTS x86. It has been fully patched.

libnss-ldap and dependencies have then been installed with Synaptic package manager using the local administrator account created during installation of Ubuntu.

/etc/ldap.conf has been modified to point to an OpenDJ v2.4.2 LDAP server running on the local network,using ldaps://server:port nomenclature.

The self-signed certificate from the OpenDJ server has been exported as a PEM encoded file and saved on the test Ubuntu client at /usr/share/ca-certificates/server.pem. The file has been made world readable.

At /etc/ldap.conf the certificate has been pointed to accordingly:

TLS_CACERTFILE /usr/share/ca-certificates/server.pem

A dedicated bind account has been created in the LDAP server and this has been specified in /etc/ldap.conf with the bind password recorded at /etc/ldap.secret

PAM configuration files at /etc/pam.d have been modified to contain the following, in order common-account, common-auth, common-password and common-session:

account sufficient pam_ldap.so
account required pam_unix.so

auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

password sufficient pam_ldap.so nullok
password required pam_unix.so nullok obscure min=4 max=8 md5

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session optional pam_ldap.so

/etc/nsswitch.conf has been modified accordingly to contain the following information:

passwd: files ldap
group: files ldap
shadow: files ldap

LDAP users can log in to the client successfully, and home directories are created automatically. In LDAP, my test user accounts have been assigned the gidNumber attribute value of 119 (admin).

2) What I expect to happen

As local administrator (note *not* as an LDAP user), I expect to be able to launch a Gnome application such as Ubuntu Software Center and have Policykit validate my credentials correctly such that I can install or remove applications (or otherwise perform administrative tasks).

3) What happened instead

Logging in to the system as a local administrator, I can launch Ubuntu Software Center. Upon (for example) attempting to install an application, I am prompted for my credentials. I enter these (the same credentials used to log into the system), but they are rejected with an "Authentication Failure" error.

4) Additional information

Using my Virtualbox host with a combination of snapshots, I have determined that this oddity appears specifically in this scenario when secure LDAP is configured on the client. If I modify /etc/ldap.conf and use plain LDAP, i.e. an insecure connection to my OpenDJ server without a certificate, then logged in to the test client as a local administrator I can successfully authenticate to Ubuntu Software Center.

In either scenario, using Synaptic with the same credentials as local administrator poses no problem.

Policykit version details:

$ apt-cache policy policykit-1
policykit-1:
  Installed: 0.96-2ubuntu0.1
  Candidate: 0.96-2ubuntu0.1
  Version table:
 *** 0.96-2ubuntu0.1 0
        500 http://nz.archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
        500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
        100 /var/lib/dpkg/status
     0.96-2 0
        500 http://nz.archive.ubuntu.com/ubuntu/ lucid/main Packages

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in policykit-1 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers