Authentication failure on successful login when using LDAP authentication

Bug #562388 reported by Mike C on 2010-04-13

This bug report was converted into a question: question #107363: Authentication failure on successful login when using LDAP authentication.

12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libpam-ldap (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: libpam-ldap

I've configured LDAP authentication for my ubuntu 9.10 clients using the following (recommended?) method:

# /usr/sbin/auth-client-config -p lac_ldap -t nss
# echo libpam-runtime libpam-runtime/profiles multiselect unix, ldap, consolekit | /usr/bin/debconf-set-selections
# /usr/sbin/pam-auth-update --package

Now LDAP authentication works fine, but I see authentication failures like the following in my logs:

Apr 13 15:35:38 example01 sshd[15860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=mikec
Apr 13 15:35:38 example01 sshd[15860]: Accepted password for mikec from 1.2.3.4 port 49507 ssh2
Apr 13 15:35:38 example01 sshd[15860]: pam_unix(sshd:session): session opened for user mikec by (uid=0)

As you can see, a failure message is always logged even though authentication was successful. Is this the expected behavior?

I'm not a PAM expert, so I don't completely understand what's happening in /etc/pam.d/common-auth, but since this only occurs for LDAP users, my hunch is that local auth is attempted first (which fails and logs the above error message), then LDAP auth is attempted and succeeds. If that's the case, is there a way to suppress the failure from the local auth attempt? This is important for packages like fail2ban which rely on these log messages. At the moment, it's possible to get locked out of a machine by having too many *successful* logins.

Mike C (mconigliaro) on 2010-04-13
summary: - Authentication failures on sucessful login when using LDAP
+ Authentication failure on successful login when using LDAP
authentication
Thierry Carrez (ttx) wrote :

Not a bug, rather a question.

Changed in libpam-ldap (Ubuntu):
status: New → Invalid
Andy Smith (grifferz) wrote :

I don't agree that this is not a bug; as Michael pointed out there are log file processors like fail2ban which can't tell the difference between an auth failure from this and an auth failure from a guess.

It could possibly be worked around in the logging daemon or in every package that consumes the logs, but wouldn't it make more sense to just be able to not log it in the first place unless all available auth modules fail?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers