mod_auth_pam and LDAP
I finally had to clean up LDAP authentication for Apache on the mail server. I had let it continue to use /etc/shadow for authentication for the past year, mainly because we didn’t have that many directories that were protected — the various IMAP clients auth’ed against IMAP, not HTTP. Clearly, over time the mail password stored in LDAP would get out of sync with the old password in /etc/shadow. I hadn’t switched over the LDAP because Rude Dog’s LDAP authentication module, shipped with Red Hat, causes Apache to segfault on startup. It’s not clear why this happens; it runs perfectly happily on the main web server, which is more or less identical to the mail server, at least in terms of Apache, libc, and so on. I’ve tried to fix it on and off without success.
The main change over the past few weeks has been the deployment of Mailman for list management, which features a web interface for most functions. All of a sudden, HTTP authentication on this box was used much more often. Combined with the password rot in /etc/shadow, people couldn’t log in to manage their lists.
I used mod_auth_pam with nss_ldap as the end-run around mod_auth_ldap. Apache consults PAM for authentication, which consults LDAP. This is working now, after many fits and starts.
At first, I could su successfully with LDAP authentication, but I needed an entry in /etc/passwd for that user, or else I’d see messages saying “Cannot find name for user ID” and “I have no name!”. HTTP authentication with mod_auth_pam didn’t work at all, even though it was clearly hitting LDAP and searching with the right filters. After much back and forth, compiling and recompiling, and changes to ldap.conf, nsswitch.conf, and pam.d/http, I was about to give up, but decided to make one more try in seeing why I was getting the “Cannot find name” message. It turned out that PAM was using an anonymous bind to query the uid, given the received uidNumber from a non-anonymous auth with the supplied credentials. I then remembered that I had turned off anonymous reads in the slapd ACL for most things.
After changing the ACL, the messages on the su cleared up, and, most importantly, Apache started authenticating successfully using mod_auth_pam.
Lessons? The usual one about reading logs carefully: if I had done so, I might have noticed the anonymous binds being attempted. I should have also tested PAM’s LDAP queries earlier using command line tools, which would have also shown the same problem. Another lesson might have to do with using mod_auth_pam instead of mod_auth_ldap: partial success with the former, as well as knowing that other people have gotten similar setups to work, kept me motivated to try different things. Mod_auth_ldap crashing out Apache on startup left few debugging avenues open to me, since I can’t rewrite the thing: if recompile after recompile with slightly different options failed to yield anything useful, I’m out of things to try.