nslcd Repeats Failed Auth Attempt for Every "uri" Specified in nslcd.conf, Causes Account Lockouts

Bug #1618190 reported by Kevin on 2016-08-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)
Undecided
Unassigned

Bug Description

Description: Ubuntu 14.04.5 LTS
Release: 14.04

nslcd: 0.9.6-1

I'm seeing an issue with nslcd triggering an additional authentication attempt for every "uri" specified in nslcd.conf when using pam_ldap in the common-auth stack of /etc/pam.d. E.g. if you specify 6 LDAP servers in nslcd.conf, a single failed auth attempt hits all 6 servers separately. My /etc/pam.d/common-auth looks as follows

auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so try_first_pass debug

account requisite pam_time.so

# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so

When an authentication attempt fails a password, the failed password attempt then seems to cascade to each other LDAP server specified in the "uri" lines of nslcd.conf. This becomes a problem if you have an account lockout threshold that is lower than the number of uri's specified in nslcd.conf.

Shouldn't nslcd return the authentication failure from the first LDAP server that responds rather than continuing to try each other uri? E.g. if I specified 8 LDAP servers, it could theoretically make 8 failed attempts from a user failing 1 password?

Debug output of nslcd is below. This logging is produced by a *single* failed password attempt on sshd login. The myldap_search function hits mydomainctrl1, mydomainctrl2, drdomainctrl1, and drdomainctrl2 after this single failed attempt.

nslcd: [3c9869] <passwd="knewman"> DEBUG: myldap_search(base="ou=User Accounts,dc=mydomain,dc=net", filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): CN=Kevin Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User Accounts,DC=mydomain,DC=net
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] <passwd="knewman"> DEBUG: myldap_search(base="ou=Service Accounts,dc=mydomain,dc=net", filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [3c9869] <passwd="knewman"> DEBUG: myldap_search(base="ou=Groups,dc=mydomain,dc=net", filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [334873] DEBUG: connection from pid=10689 uid=0 gid=0
nslcd: [334873] <passwd="knewman"> DEBUG: myldap_search(base="ou=User Accounts,dc=mydomain,dc=net", filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_initialize(ldaps://mydomainctrl1.mydomain.net)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_rebind_proc()
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_simple_bind_s("<email address hidden>","***") (uri="ldaps://mydomainctrl1.mydomain.net")
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): CN=Kevin Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User Accounts,DC=mydomain,DC=net
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [334873] <passwd="knewman"> DEBUG: myldap_search(base="ou=Service Accounts,dc=mydomain,dc=net", filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [334873] <passwd="knewman"> DEBUG: myldap_search(base="ou=Groups,dc=mydomain,dc=net", filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [b0dc51] DEBUG: connection from pid=10689 uid=0 gid=0
nslcd: [b0dc51] <authc="knewman"> DEBUG: nslcd_pam_authc("knewman","sshd","***")
nslcd: [b0dc51] <authc="knewman"> DEBUG: myldap_search(base="ou=User Accounts,dc=mydomain,dc=net", filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_result(): CN=Kevin Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User Accounts,DC=mydomain,DC=net
nslcd: [b0dc51] <authc="knewman"> DEBUG: myldap_search(base="CN=Kevin Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User Accounts,DC=mydomain,DC=net", filter="(objectClass=*)")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_initialize(ldaps://mydomainctrl1.mydomain.net)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_bind("CN=Kevin Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User Accounts,DC=mydomain,DC=net","***") (uri="ldaps://mydomainctrl1.mydomain.net")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server ldaps://mydomainctrl1.mydomain.net: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_initialize(ldaps://mydomainctrl2.mydomain.net)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_bind("CN=Kevin Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User Accounts,DC=mydomain,DC=net","***") (uri="ldaps://mydomainctrl2.mydomain.net")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server ldaps://mydomainctrl2.mydomain.net: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_initialize(ldaps://drdomainctrl1.mydomain.net)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_bind("CN=Kevin Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User Accounts,DC=mydomain,DC=net","***") (uri="ldaps://drdomainctrl1.mydomain.net")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server ldaps://drdomainctrl1.mydomain.net: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_initialize(ldaps://drdomainctrl2.mydomain.net)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_bind("CN=Kevin Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User Accounts,DC=mydomain,DC=net","***") (uri="ldaps://drdomainctrl2.mydomain.net")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server ldaps://drdomainctrl2.mydomain.net: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> CN=Kevin Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User Accounts,DC=mydomain,DC=net: Invalid credentials
nslcd: [b0dc51] <authc="knewman"> DEBUG: myldap_search(base="ou=User Accounts,dc=mydomain,dc=net", filter="(&(&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*))(uid=knewman))")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_result(): CN=Kevin Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User Accounts,DC=mydomain,DC=net

Kevin (thenewmanium) wrote :

Attached my nslcd.conf to this comment as well.

Arthur de Jong (adejong) wrote :

Thanks for reporting this. I've changed the behaviour upstream, see https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d8ad7b127363d6d73ab1de6796886fda5eb07054

Kevin (thenewmanium) wrote :

Appreciate the quick response! Having more active maintenance of the project is part of the reason I switched over from libnss-ldap. Thanks!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments