Security
cancel
Showing results for 
Search instead for 
Did you mean: 

SIA + LDAP + Enhanced = multiple passwords

Eric Merth
Occasional Visitor

SIA + LDAP + Enhanced = multiple passwords

On Tru64 5.1B on an XP1000 machine:

I have configured SIA to use Enhanced Security (authdb etc), then also added the LDAP authentication method (OSFLDPAUTH540, which auto-adds OSFINET540). The LDAP server is OpenLDAP 2.3.30 running on a Linux box.

The scheme works well but with one disturbing problem: if I change a user account password using usermod from password1 to password2, then both password1 and password2 will let that user login (via ssh).

If I then change that user account password to password3, password2 is invalidated but still password1 and password3 are valid.

password1 != password2 != password3

Can anyone help me with this?

Here's some background.

1. install OS.

2. create 10 test accounts under base security model (user001 - user010).

3. change to Enhanced Security - choose the default 'custom' configuration that causes use of auth.db et al.

4. now I have 10 pre-Enhanced accounts migrated into the auth.db file.

5. Add 10 more accounts (user101 - user110).

Now in /etc/passwd I've got the twenty accounts with * in the password field, the same twenty accounts show up using "edauth -dp -g".

6. Use edauth to dump the 20 users, build an LDAP LDIF file and import them into posixAccount entres in OpenLDAP.

7. Delete them from Enhanced Security so they no longer appear in /etc/passwd or auth.db, using "userdel -D -x local=1 ".

8. Login via SSH using some of the accounts.

This works so far.

9. Look in auth.db - the said accounts have been added back to auth.db somehow, with a password field.

10. Look in /etc/passwd - the accounts are not in there.

11. Use "usermod -p -x ldap=1 " to change one of these accounts' password stored on the LDAP server.

12. Successfully log in using the old password or using the new password.


/etc/auth/system/default specifies d_accept_alternate_vouching@


-----

It seems to me that the old password is being stored by Enhanced in auth.dh, the new one in LDAP and vouching lets Enhanced authenticate the account even when LDAP doesn't.

I don't want to disable vouching because the accounts with UID 0 to 100 will not be kept in LDAP, only locally.

But I really don't want to have to manage the accounts in both LDAP and auth.db!

If my diagnosis is correct, is there a way to stop Enhanced Security from repopulating auth.db in the manner described in steps 8, 9, 10 above?

Or is there a way to constrain Enhanced to only care about UIDs less than some number, say, 100?

Heaps of thanks in advance!

Eric Merth
1 REPLY
Ann Majeske
Honored Contributor

Re: SIA + LDAP + Enhanced = multiple passwords

To prevent the Enhanced Security accounts from being recreated, you can try setting the d_auto_migrate_users flag to false (d_auto_migrate_users@) in the default database. You can use the edauth tool to edit the default database. See "man default" and "man edauth" for more info.

Ann