nslcd Repeats Failed Auth Attempt for Every "uri" Specified in nslcd.conf, Causes Account Lockouts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nss-pam-ldapd (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Description: Ubuntu 14.04.5 LTS
Release: 14.04
nslcd: 0.9.6-1
I'm seeing an issue with nslcd triggering an additional authentication attempt for every "uri" specified in nslcd.conf when using pam_ldap in the common-auth stack of /etc/pam.d. E.g. if you specify 6 LDAP servers in nslcd.conf, a single failed auth attempt hits all 6 servers separately. My /etc/pam.
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so try_first_pass debug
account requisite pam_time.so
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
When an authentication attempt fails a password, the failed password attempt then seems to cascade to each other LDAP server specified in the "uri" lines of nslcd.conf. This becomes a problem if you have an account lockout threshold that is lower than the number of uri's specified in nslcd.conf.
Shouldn't nslcd return the authentication failure from the first LDAP server that responds rather than continuing to try each other uri? E.g. if I specified 8 LDAP servers, it could theoretically make 8 failed attempts from a user failing 1 password?
Debug output of nslcd is below. This logging is produced by a *single* failed password attempt on sshd login. The myldap_search function hits mydomainctrl1, mydomainctrl2, drdomainctrl1, and drdomainctrl2 after this single failed attempt.
nslcd: [3c9869] <passwd="knewman"> DEBUG: myldap_
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): CN=Kevin Newman,
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] <passwd="knewman"> DEBUG: myldap_
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [3c9869] <passwd="knewman"> DEBUG: myldap_
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [334873] DEBUG: connection from pid=10689 uid=0 gid=0
nslcd: [334873] <passwd="knewman"> DEBUG: myldap_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_initialize
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_simple_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): CN=Kevin Newman,
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [334873] <passwd="knewman"> DEBUG: myldap_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [334873] <passwd="knewman"> DEBUG: myldap_
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [b0dc51] DEBUG: connection from pid=10689 uid=0 gid=0
nslcd: [b0dc51] <authc="knewman"> DEBUG: nslcd_pam_
nslcd: [b0dc51] <authc="knewman"> DEBUG: myldap_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_result(): CN=Kevin Newman,
nslcd: [b0dc51] <authc="knewman"> DEBUG: myldap_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_initialize
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityC
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server ldaps:/
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_initialize
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityC
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server ldaps:/
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_initialize
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityC
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server ldaps:/
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_initialize
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityC
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server ldaps:/
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> CN=Kevin Newman,
nslcd: [b0dc51] <authc="knewman"> DEBUG: myldap_
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_result(): CN=Kevin Newman,
Attached my nslcd.conf to this comment as well.