Re: [Bug 992737] Re: Ineffective pam_authz_search filter

Arthur de Jong Wed, 02 May 2012 13:21:17 -0700

On Tue, 2012-05-01 at 19:57 +0000, Craig White wrote:
> # getent shadow cwhite
> cwhite:*:15245::::::0
> 
> # cat /etc/pam.d/common-account 
[...]
> account       [success=2 new_authtok_reqd=done default=ignore]        
> pam_unix.so 
> account       [success=1 default=ignore]      pam_ldap.so


This is the pam config from libpam-ldap, not libpam-ldapd (at least not
0.8.4). If you have ldap as primary you need to disable shadow lookups
to ldap in /etc/nsswitch.conf.

I can't find an upgrade scenario that would leave your config like this.
Did you have libpam-ldap installed before? Can you check if
dpkg-reconfig libpam-ldapd changes /etc/pam.d/common-account and what
the contents of /usr/share/pam-configs/ldap is? 

> root@nxpc:~# nslcd -d
> nslcd: accepting connections
> nslcd: [8b4567] DEBUG: connection from pid=20642 uid=0 gid=0
> nslcd: [8b4567] <sess_c="cwhite"> DEBUG: 
> nslcd_pam_sess_c("cwhite","sshd",12345)
> nslcd: [7b23c6] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [7b23c6] <host=10.x.x.x> DEBUG: 
> myldap_search(base="dc=ttinet,dc=local", 
> filter="(&(objectClass=ipHost)(ipHostNumber=10.x.x.x))")
> nslcd: [3c9869] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [3c9869] <shadow="cwhite"> DEBUG: 
> myldap_search(base="dc=ttinet,dc=local", 
> filter="(&(objectClass=shadowAccount)(uid=cwhite))")
> nslcd: [334873] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [334873] <sess_o="cwhite"> DEBUG: 
> nslcd_pam_sess_o("cwhite","sshd","ssh","10.x.x.x","")
> 
> the only ip address it seemed to log was the origination ip address (my
> workstation) which I replaced with 10.x.x.x

The host=10.x.x.x lookup is just the reverse hostname lookup that sshd
does on every connection (it doesn't have anything to do with
pam_authz_search). sshd doesn't ask for authentication (I'm assuming you
do key-based authentication here) and skips authorisation (account)
altogether.

If changing /etc/nsswitch.conf or fixing your PAM stack doesn't help,
can you send output of nslcd -d without nscd (or unscd) running?

-- 
-- arthur - adej...@debian.org - http://people.debian.org/~adejong --

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/992737

Title:
  Ineffective pam_authz_search filter

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/992737/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 992737] Re: Ineffective pam_authz_search filter

Reply via email to