sssd LDAP client logins successfuly after LDAP server returns invalidCredentials with PasswordPolicyResponseValue

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.

https://sssd.io

GNU General Public License v3.0

588 stars 237 forks source link

sssd LDAP client logins successfuly after LDAP server returns invalidCredentials with PasswordPolicyResponseValue #7582

Open nikigen68 opened 1 week ago

nikigen68 commented 1 week ago

As subject suggests sssd-ldap client allows user sdi3pwd5minn even though server sends invalidCredentials in bindResponse. Why it is not rejected?

sssd_debug.log

PasswordExpiredPCAP

sumit-bose commented 1 week ago

Hi, according to the logs the password policy indicates that the password is expired and must be renewed. Unfortunately PAM does not trigger the renewal step during authentication but during access control and I haven't found anything related in the logs. Can you check you PAM configuration for sshd and check if pam_sss,so is called in the account block?

bye, Sumit

nikigen68 commented 6 days ago

Hi Sumit,

It seems pam_sss is called from account block: account [default=bad success=ok user_unknown=ignore] /lib64/security/pam_sss.so

Attached configuration files: sshd sssd.conf nsswitch.conf ldap.conf common-password

ldap_files.zip

Best Regards, Nikola

sumit-bose commented 6 days ago

Hi,

thanks for the config files, pam_sss.so is missing in common-password. I'm not completely sure is this will already help, because I still wonder why there are no messages from the access control step in the SSSD debug logs.

bye, Sumit

nikigen68 commented 6 days ago

Hi Sumit,

We have used this command to collect debug logs: /usr/sbin/sssd -i -d9

In which way should common-password be updated with pam_sss.so? Should it be something like: password sufficient pam_sss.so use_authtok

Regards, Nikola

sumit-bose commented 6 days ago

Hi Sumit,

We have used this command to collect debug logs: /usr/sbin/sssd -i -d9

Hi,

yes, this should cover the access control step as well.

In which way should common-password be updated with pam_sss.so? Should it be something like: password sufficient pam_sss.so use_authtok

Yes, but you might have to modify the pam_unix line as well to properly skip pam_sss and pam_deny.

bye, Sumit

Regards, Nikola

nikigen68 commented 5 days ago

In case invalidCredentials bindResponse is recevied for wrong password then the login is rejected as expected. Please let me know what would be the proper way to modify common-password.

sumit-bose commented 4 days ago

In case invalidCredentials bindResponse is recevied for wrong password then the login is rejected as expected. Please let me know what would be the proper way to modify common-password.

Hi,

yes, because in this case there will be no reply from the password policy control that the password is expired.

bye, Sumit