Skip to content

Instantly share code, notes, and snippets.

@trestletech
Last active June 2, 2016 16:44
Show Gist options
  • Save trestletech/43f4a1008a25831a9eeb7eae64628b09 to your computer and use it in GitHub Desktop.
Save trestletech/43f4a1008a25831a9eeb7eae64628b09 to your computer and use it in GitHub Desktop.
node-authenticate-pam crash
node_modules
.vagrant
*.swp

Example of pam-authenticate crash

Vagrant must be installed to use this setup. I'm using Virtualbox as the back-end.

Running vagrant up will provision the two boxes necessary for this test. One running node with an authenticate-pam example, and one running an openldap server. The node box is configured to use PAM to defer to the LDAP server for auth.

Now SSH into the node box using vagrant ssh node, cd /vagrant.

Now run the index.js file sudo node index.js. In the first commit of this project (using an older version of authenticate-pam) you'll see a segmentation fault. Now you no longer see the segfault, but the inner callback from authenticate never gets called (i.e. there's no output when running the command).


You shouldn't have to run this command, but if you get an error like "Auth failed -- User not known to the underlying authentication module", this command will resolve it.

sudo authconfig --enableldap --enableldapauth --ldapserver="openldap:389" --ldapbasedn="ou=People,dc=ssp-openldap" --update
dn: ou=People,dc=openldap
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=openldap
objectClass: organizationalUnit
ou: Groups
dn: cn=managers,ou=Groups,dc=openldap
objectClass: posixGroup
cn: managers
gidNumber: 5002
memberUid: john
memberUid: kim
dn: uid=john,ou=People,dc=openldap
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
dn: uid=kim,ou=People,dc=openldap
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kim
sn: Smith
givenName: Kim
cn: Kim Smith
displayName: Kim Smith
uidNumber: 10001
gidNumber: 5001
userPassword: kimldap
gecos: Kim Smith
loginShell: /bin/bash
homeDirectory: /home/kim
auth sufficient pam_ldap.so try_first_pass ignore_unknown_user
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_unix.so nodelay
account required pam_unix.so
account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
account required pam_permit.so
var pam = require('authenticate-pam');
process.on('uncaughtException', function(err) {
console.log('Uncaught exception: ' + err);
console.log(err.stack);
throw err;
});
// login with the right password 'johnldap' to see success. Login with the wrong
// password and you either get a segfault (on old authenticate-pams) or no
// callback evaluation.
pam.authenticate('john', 'wrong', function(err) {
if(err) {
console.log("Auth failed");
console.log(err);
}
else {
console.log("Authenticated!");
}
}, {serviceName: 'crashexample'});
#!/bin/bash
apt-get update
# Need to alter /etc/hosts such that slapd will infer the desired hostname.
mv /etc/hosts /etc/hosts.backup
echo "127.0.1.1 openldap.openldap openldap" > /etc/hosts
# Set the passwords so we aren't prompted interactively
debconf-set-selections <<< 'slapd slapd/password1 password LDAPPass'
debconf-set-selections <<< 'slapd slapd/password2 password LDAPPass'
apt-get install slapd ldap-utils -y
# Restore the hostsfile.
mv /etc/hosts.backup /etc/hosts
# Populate the directory
ldapadd -x -D cn=admin,dc=openldap -f /vagrant/add_content.ldif -w "LDAPPass"
{
"name": "pam-crash",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"authenticate-pam": "^1.0.1"
}
}
mv /etc/hosts /etc/hosts.backup
echo "127.0.1.1 pam.ldap.test.com centos7-pam-ldap localhost
10.0.0.13 openldap" > /etc/hosts
# On this minimal install, we need wget
yum install wget -y
sudo systemctl disable firewalld
sudo systemctl stop firewalld
sudo sed -i 's/enforcing/disabled/g' /etc/selinux/config
# Install and configure NTP
sudo yum -y install ntp
sudo ntpdate 0.rhel.pool.ntp.org
sudo systemctl start ntpd.service
sudo systemctl enable ntpd.service
# Install and configure pam_ldap and nss
sudo yum -y install pam_ldap nss-pam-ldapd
sudo authconfig --enableforcelegacy --update
sudo authconfig --enableldap --enableldapauth --ldapserver="openldap:389" --ldapbasedn="ou=People,dc=openldap" --update
sudo systemctl restart nscd
sudo systemctl restart nslcd
sudo systemctl enable nscd
sudo systemctl enable nslcd
sudo cp /vagrant/crashexample /etc/pam.d/crashexample
sudo yum -y install epel-release
sudo yum -y install nodejs
sudo yum -y install npm
sudo yum -y install kernel-headers
sudo yum -y install pam-devel
( cd /vagrant && npm install )
# -*- mode: ruby -*-
# vi: set ft=ruby :
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.define 'ldap', autostart: true do |instance|
instance.vm.box = "ubuntu-12.04.3-server-amd64"
instance.vm.box = "ubuntu/precise64"
instance.vm.host_name = "openldap"
instance.vm.provision "shell", path: "install-openldap.sh"
instance.vm.network "private_network", ip: "10.0.0.13"
end
config.vm.define 'node', primary: true do |instance|
instance.vm.box = "centos7-20"
instance.vm.box_url = "https://s3-us-west-2.amazonaws.com/rstudio-vagrant-boxes/boxes/centos7.box"
instance.vm.host_name = "centos7-pam-ldap"
instance.vm.provision "shell", path: "setup.sh"
instance.vm.network :private_network, ip: "10.0.0.175"
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment