Question
I am running into an issue we have with Active Directory and PAM, but this can apply elsewhere.
Setting up Yubikey over PAM to utilize two-factor authentication with VPN connections, I need to set a binddn to the bind user who contacts the AD/LDAP server. Unfortunately there is a container in the binddn that has a space in it, and PAM does not allow for this space, nor does it let me escape it. Example:
https://stackoverflow.com/questions/17731555
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian/etc/pam.d/radiusd
auth required pam_yubico.so id=16 debug ldap_uri=ldap://ad-server.local ldapdn=DC=company,DC=local binddn=CN=binduser,OU=users,OU=other accounts,OU=departments,DC=company,DC=local bindpw=5up3rpa55w0rd user_attr=sAMAccountName yubi_attr=employeeNumber
I've tried OU="other accounts", OU=other\ accounts, OU='other accounts', and putting the entire binddn in double and single quotes. Every time in the PAM debug, I get this:
[pam_yubico.c:parse_cfg(747)] called.
[pam_yubico.c:parse_cfg(748)] flags 0 argc 9
[pam_yubico.c:parse_cfg(750)] argv[0]=id=16
[pam_yubico.c:parse_cfg(750)] argv[1]=debug
[pam_yubico.c:parse_cfg(750)] argv[2]=ldap_uri=ldap://ad-server.local
[pam_yubico.c:parse_cfg(750)] argv[3]=ldapdn=DC=company,DC=local
[pam_yubico.c:parse_cfg(750)] argv[4]=binddn=CN=binduser,OU=users,OU=other
[pam_yubico.c:parse_cfg(750)] argv[5]=accounts,OU=departments,DC=company,DC=local
[pam_yubico.c:parse_cfg(750)] argv[6]=bindpw=5up3rpa55w0rd
[pam_yubico.c:parse_cfg(750)] argv[7]=user_attr=sAMAccountName
[pam_yubico.c:parse_cfg(750)] argv[8]=yubi_attr=employeeNumber
As you can see, it gets cut off after the space, quotes or escape characters are seen in the list as part of the binddn like so:
[pam_yubico.c:parse_cfg(750)] argv[4]=binddn=CN=binduser,OU=users,OU=other\
[pam_yubico.c:parse_cfg(750)] argv[5]=accounts,OU=departments,DC=company,DC=local
What can I do to get PAM to recognize that this space isn't to separate another field?
Solution
From the useful documentation available by typing man pam.d: (emphasis added)
module-arguments are a space separated list of tokens that can be used to modify the specific behavior of the given PAM. Such arguments will be documented for each individual module. Note, if you wish to include spaces in an argument, you should surround that argument with square brackets.
The following text includes some notes about how to deal with arguments which contain square brackets, and an example line.
