Configured PAM Pass Through Authentication with Active Directory as Backend. Defined the `pamFilter` option, but it is noticed that the requests from accounts that should not match the filter are being forwarded to the PAM Pass Through Plugin.

----------
Details : 
----------

** Reference from Customers Environment **

- Plugin Configurations

======
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: betxnpreoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamIDMapMethod: RDN
pamIDAttr: notUsedWithRDNMethod
pamFallback: FALSE
pamSecure: TRUE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 2.5.2
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: PAM pass through authentication plugin
modifiersName: cn=Directory Manager
modifyTimestamp: 20250303113155Z
numSubordinates: 1
 
dn: cn=saslauthd,cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: pamConfig
cn: saslauthd
pamService: ldapserver
pamIncludeSuffix: o=EnergyIT
pamFilter: (objectClass=nsSaslauthAccount)      <<<--------------
pamIDAttr: nsSaslauthId                         
pamIDMapMethod: ENTRY
pamSecure: TRUE
pamFallback: TRUE              <<<--------------
pammoduleisthreadsafe: TRUE
pamMissingSuffix: ERROR
creatorsName: cn=Directory Manager
modifiersName: cn=Directory Manager
createTimestamp: 20250303112435Z
modifyTimestamp: 20250303112805Z
======

- Authentication works successfully for users validated with the `pamFilter` option against AD. 
  
- However, the authentication was failing for users included under suffix "o=EnergyIT" but not allowed to authenticate against AD as they did not have the required "objectclass=nsSaslauthAccount".
  
- Modifying the fallback parameter `pamFallback` from false->true, helped the not matched accounts to authenticate with their local Directory Server Password.
 
-------
Issue :
-------

- Whenever there is a request for account not allowed to authenticate against AD or from a missing suffix, there is error generated in the Directory Server Error Logs.

- Reference :

1. Account Details.

Below is the account which should have their passwords checked with Directory Server and not with Active Directory.
The account does not have Objectclass "nsSaslauthId" configured and it does not exists on AD.

=====
[root@entestldp2 ~]# ldapsearch -H 'ldaps://entestldp2.oa.pnrad.net' -D "cn=Directory Manager" -W -b "ou=Internal,dc=Auth,o=EnergyIT" '(cn=lookup)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Internal,dc=Auth,o=EnergyIT> with scope subtree
# filter: (cn=lookup)
# requesting: ALL
#

# lookup, Internal, Auth, EnergyIT
dn: cn=lookup,ou=Internal,dc=Auth,o=EnergyIT
cn: lookup
description: LDAP Information Lookup
objectClass: organizationalRole
objectClass: simpleSecurityObject
objectClass: top
objectClass: nsaccount
userPassword:: e1BCS0RGMi1TSEE1MTJ9MTAwMDAkbUpTSmE4TmdDU3hVWThhWXBOSHBGY2J6UER
 HR0V2dmckUExmUW9hNng1MjRjL2RLNjlOOUhOTjBMaTJPT3dFMFNMTmI5RlJldmluTkZxLzNkOUZ6
 bm9Ib3g3NTBoNlRCeTRuNStOdy9acHZLeHowM0JFQm4yRGc9PQ==

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
====

2. The validation succeeds as we have enabled `pamFallback = TRUE`

====
[root@entestldp2 ~]# ldapwhoami -x -D "cn=lookup,ou=Internal,dc=Auth,o=EnergyIT" -H ldaps://entestldp2.oa.pnrad.net -W
Enter LDAP Password:
dn: cn=lookup,ou=Internal,dc=Auth,o=EnergyIT
====

3. However, the Directory Server logs show the request being forwarded to PAM PASS Through Authentication.

=====
[07/Apr/2025:08:46:41.668475426 +0200] - ERR - pam_passthru-plugin - do_one_pam_auth - Bind DN [cn=lookup,ou=Internal,dc=Auth,o=EnergyIT] is invalid or not found
[07/Apr/2025:08:47:00.845734707 +0200] - ERR - pam_passthru-plugin - do_one_pam_auth - Bind DN [cn=lookup,ou=Internal,dc=Auth,o=EnergyIT] is invalid or not found
=====

- Tried to Evaluate "ERROR/IGNORE" attributes with option 'pamMissingSuffix' but it still records the error.

======
Identifies how to handle missing include or exclude suffixes. The options are ERROR (which causes the bind operation to fail); ALLOW, which logs an error but allows the operation to proceed; and IGNORE, which allows the operation and does not log any errors.
======

389-ds-base-2.5.2-5.el9_5.x86_64 
389-ds-base-libs-2.5.2-5.el9_5.x86_64 
cockpit-389-ds-2.5.2-3.module+el9dsrv+22360+4d1b4fe0.noarch

** Reference Steps from LAB Setup **

1. Join Machine to AD

   How to join RHEL to Active Directory using realmd
   - https://access.redhat.com/solutions/1350723
  
2. Enable PAM PASS Thru Authentication With AD as backend and add Filter
   >https://docs.redhat.com/en/documentation/red_hat_directory_server/11/html/administration_guide/pam-pta#pam-pta-sssd


[+] Sample Configuration Details :  (I have used UID's for testing)

Only account "uid=user05,ou=people,dc=server,dc=local" should be able to authenticate against AD 

======
# ldapsearch -D "cn=Directory Manager" -W -H ldap://`hostname` -x -b "cn=PAM Pass Through Auth,cn=plugins,cn=config"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=PAM Pass Through Auth,cn=plugins,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#


# PAM Pass Through Auth, plugins, config
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: betxnpreoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: IGNORE
pamExcludeSuffix: cn=config
pamIDMapMethod: RDN
pamIDAttr: notUsedWithRDNMethod
pamFallback: FALSE
pamSecure: TRUE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.4.3.39
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: PAM pass through authentication plugin


# AD_PASSTHRU, PAM Pass Through Auth, plugins, config
dn: cn=AD_PASSTHRU,cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: pamConfig
cn: AD_PASSTHRU
pamIncludeSuffix: ou=people,dc=server,dc=local
pamIDAttr: uid
pamIDMapMethod: ENTRY
pamFallback: TRUE
pamSecure: FALSE
pamService: system-auth 
pamFilter: uid=user05     <<<------------- 

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
======

The results show :

[+] "user05" : Is able to authenticate via AD password

=====
[root@rhds ~]# ldapwhoami -x -D "uid=user05,ou=people,dc=server,dc=local" -w "AD_password" -h `hostname`
dn: uid=user05,ou=people,dc=server,dc=local

[root@rhds ~]# ldapwhoami -x -D "uid=user05,ou=people,dc=server,dc=local" -w "RHDS_password" -h `hostname`
ldap_bind: Invalid credentials (49)
	additional info: Invalid PAM password for user id [user05], bind DN [uid=user05,ou=people,dc=server,dc=local]
======


[+] "user04" : User Present on AD. Not able to authenticate via AD 
               password. Only local RHDS password validation works

===== 
[root@rhds ~]# ldapwhoami -x -D "uid=user04,ou=people,dc=server,dc=local" -w "AD_password" -h `hostname`
ldap_bind: Invalid credentials (49)

[root@rhds ~]# ldapwhoami -x -D "uid=user04,ou=people,dc=server,dc=local" -w "RHDS_password" -h `hostname`
dn: uid=user04,ou=people,dc=server,dc=local
===== 

[+] "user03" : Not Present on AD machine. Only local RHDS password 
               validation works

===== 
[root@rhds ~]# ldapwhoami -x -D "uid=user03,ou=people,dc=server,dc=local" -w "RHDS_password" -h `hostname` 
dn: uid=user03,ou=people,dc=server,dc=local 
=====

[+] The Directory Server logs indicate that users "user04" and "User03" who are not allowed to authenticate against Active Directory based on the defined `pamFilter` option, are having their requests forwarded to the PAM Pass Thru Plugin. The logs are also recording the resulting errors.  

=====
- ERR - pam_passthru-plugin - report_pam_error - during pam_authenticate (7: Authentication failure) - ERR - pam_passthru-plugin - do_one_pam_auth - Invalid PAM password for user id [user04], bind DN [uid=user04,ou=people,dc=server,dc=local]

-----

ERR - pam_passthru-plugin - derive_from_bind_entry - Could not find BIND dn uid=user040,ou=people,dc=server,dc=local (error 32 - No such object)
- ERR - pam_passthru-plugin - do_one_pam_auth - Bind DN [uid=user03,ou=people,dc=server,dc=local] is invalid or not found - ERR - pam_passthru-plugin - do_one_pam_auth - Bind DN [uid=user03,ou=people,dc=server,dc=local] is invalid or not found 
=====

Users restricted via `pamFilter` should not forward the request to PAM Pass Thru Plugin to validate authentication against Active Directory. Their passwords should only be checked with Directory Server.

Customer uses Directory Server WEBUI for PAM Pass through authentication plugin activation & configuration. The LAB test initial configurations are also activated via Directory Server WEBUI.