Ubuntu
nss-pam-ldapd package

[SRU] authentication fails silently with long pam_authz_search filter

Bug #951343 reported by Matt Rae
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)
Fix Released
Undecided
Canonical Foundations Team
Natty
Fix Released
Medium
Chris J Arges
Oneiric
Fix Released
Medium
Chris J Arges
Precise
Fix Released
Medium
Chris J Arges
Ubuntu ubuntu-12.04.1

Bug Description

[Impact]
Linux clients that use ldap authentication with nslcd and a long pam_authz_search filter will see authentication fail silently

$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

version:
nss-pam-ldapd-0.7.13

expected:
Logging to indicate that the max filter length had been exceeded.

actual:
authentication fails silently

workaround:
Increase max filter length. char_filter_buffer in pam.c can be increased to 4096 bytes allowing for a longer search filter

[Test Case]
reproduction steps:

modify entry for 127.0.1.1 in /etc/hosts so the example.com dc is used by slapd
EX:
x.x.x.x server1
change to:
x.x.x.x server1.example.com server1

apt-get install nslcd # set search base "dc=example,dc=com". then select all for services use ldap lookups when configuring libnss-ldapd.
apt-get install slapd
dpkg-reconfigure slapd # dns name "example.com"
apt-get install migrationtools

turn on ldap authentication using pam-auth-update

stop nslcd and slapd. We'll start them in debug mode

/etc/init.d/nslcd stop
/etc/init.d/slapd stop

migrate users to ldap. edit /etc/migrationtools/migrate_common.ph and change:
$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";

then run commands to create ldif exports of group and passwd
/usr/share/migrationtools/migrate_group.pl /etc/group ~/group.ldif
/usr/share/migrationtools/migrate_passwd.pl /etc/passwd ~/passwd.ldif

edit ~/people_group.ldif adding contents:
dn: ou=People, dc=example, dc=com
ou: People
objectclass: organizationalUnit

dn: ou=Group, dc=example, dc=com
ou: Group
objectclass: organizationalUnit

import data into ldap:
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/people_group.ldif
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/group.ldif
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/passwd.ldif

edit /etc/nslcd.conf adding pam_authz_search filter
pam_authz_search (&(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount))

open 2 new terminals and become root

in one terminal run nslcd in debug mode:
nslcd -d

in second terminal run slapd in debug mode:
slapd -d -1

in your original terminal attempt to sudo to a user other than root and watch the debug output in the slapd and nslcd terminals:

sudo su ubuntu

look for output in nslcd terminal "DEBUG: trying pam_authz_search" in nslcd terminal indicating filter is being used

increase search string beyond 1024 buffer and note that we're no longer seeing "Trying pam_authz_search" in the nslcd output and that authentication fails silently

[Regression Potential]
This just increases the buffer size from 1024 to 4096, it is already applied in Quantal, and this SRU simply increases this buffer size.

See original description
Matt Rae (mattrae)
description: updated
Matt Rae (mattrae)
description: updated
Rick Spencer (rick-rickspencer3)
Changed in nss-pam-ldapd (Ubuntu):
assignee: nobody → Canonical Foundations Team (canonical-foundations)
Revision history for this message
Chris J Arges (arges) wrote :

This patch increases the filter size per the bug report.
The latest SVN checkout of the code shows that this would need to be an upstream patch.

Chris J Arges (arges)
Changed in nss-pam-ldapd (Ubuntu):
status: New → In Progress
Revision history for this message
Chris J Arges (arges) wrote :

Posted patch on nss-pam-ldapd-users ML: http://lists.arthurdejong.org/nss-pam-ldapd-users/2012/date.html

tags: added: patch-forwarded-upstream
Revision history for this message
Chris J Arges (arges) wrote :

Cool, response from Arthur here:
http://lists.arthurdejong.org/nss-pam-ldapd-users/2012/msg00064.html

Looks like he will expand the filter size, but he is unsure of the effeciency of such long searches.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.8.8-2

---------------
nss-pam-ldapd (0.8.8-2) unstable; urgency=low

  * switch PAM config back to additional because if shadow information is
    provided pam_unix accepts the user and causes pam_ldap to be skipped

 -- Arthur de Jong <email address hidden> Wed, 02 May 2012 22:48:23 +0200

Changed in nss-pam-ldapd (Ubuntu):
status: In Progress → Fix Released
Chris J Arges (arges)
Changed in nss-pam-ldapd (Ubuntu Oneiric):
assignee: nobody → Chris J Arges (christopherarges)
Revision history for this message
Chris J Arges (arges) wrote :

This bug originally affected oneiric, and also affects precise. It has been fixed in upstream and is currently in quantal. This patch does NOT apply to lucid. I have added my bzr branch of the package with the fixes in this bug so that they can be merged as an SRU. Thanks

tags: added: oneiric precise
Changed in nss-pam-ldapd (Ubuntu Precise):
assignee: nobody → Chris J Arges (christopherarges)
Changed in nss-pam-ldapd (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in nss-pam-ldapd (Ubuntu Precise):
importance: Undecided → Medium
Changed in nss-pam-ldapd (Ubuntu Oneiric):
status: New → In Progress
Changed in nss-pam-ldapd (Ubuntu Precise):
status: New → In Progress
Chris J Arges (arges)
description: updated
Chris J Arges (arges)
Changed in nss-pam-ldapd (Ubuntu Precise):
milestone: none → ubuntu-12.04.1
Revision history for this message
James Page (james-page) wrote :

Hi Chris

I took the liberty of proposing merges of your branches - reviewing now.

Un-subscribed ubuntu-sponsors as the merge-proposals will appear on the sponsoring report instead.

Thanks

James Page (james-page)
summary: - authentication fails silently with long pam_authz_search filter
+ [SRU] authentication fails silently with long pam_authz_search filter
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Matt, or anyone else affected,

Accepted nss-pam-ldapd into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/nss-pam-ldapd/0.8.4ubuntu0.1 in a few hours and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nss-pam-ldapd (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Matt Rae (mattrae) wrote :

Hi there, I confirmed the expected outcome of the increased buffer using the reproduction steps on Precise with proposed nslcd-0.8.4ubuntu0.1

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.8.4ubuntu0.1

---------------
nss-pam-ldapd (0.8.4ubuntu0.1) precise-proposed; urgency=low

  * increase buffer used for pam_authz_search (LP: #951343)
 -- Chris J Arges <email address hidden> Mon, 04 Jun 2012 11:20:14 -0500

Changed in nss-pam-ldapd (Ubuntu Precise):
status: Fix Committed → Fix Released
Chris J Arges (arges)
Changed in nss-pam-ldapd (Ubuntu Natty):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Chris J Arges (christopherarges)
Revision history for this message
Chris J Arges (arges) wrote :

Also SRUed for natty.

Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Matt, or anyone else affected,

Accepted nss-pam-ldapd into oneiric-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/nss-pam-ldapd/0.7.13ubuntu0.11.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nss-pam-ldapd (Ubuntu Oneiric):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Changed in nss-pam-ldapd (Ubuntu Natty):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Matt, or anyone else affected,

Accepted nss-pam-ldapd into natty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/nss-pam-ldapd/0.7.13ubuntu0.11.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Matt Rae (mattrae) wrote :

Thanks Adam, I'll work in getting this verified

Revision history for this message
Matt Rae (mattrae) wrote :

Thanks guys, I was able to verify in natty as well using the reproduction steps

tags: added: verification-done
removed: verification-needed
Brian Murray (brian-murray)
tags: added: verification-done-natty
removed: verification-done
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.7.13ubuntu0.11.04

---------------
nss-pam-ldapd (0.7.13ubuntu0.11.04) natty-proposed; urgency=low

  * increase buffer used for pam_authz_search (LP: #951343)
 -- Chris J Arges <email address hidden> Mon, 16 Jul 2012 08:39:03 -0500

Changed in nss-pam-ldapd (Ubuntu Natty):
status: Fix Committed → Fix Released
Brian Murray (brian-murray)
tags: added: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote :

This bug could still use verification in oneiric.

Revision history for this message
Brian Murray (brian-murray) wrote : Verification still needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for oneiric for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Revision history for this message
Chris J Arges (arges) wrote :

Ok verified on Oneiric server amd64.

tags: added: verification-done verification-done-oneiric
removed: removal-candidate verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.7.13ubuntu0.11.10

---------------
nss-pam-ldapd (0.7.13ubuntu0.11.10) oneiric-proposed; urgency=low

  * increase buffer used for pam_authz_search (LP: #951343)
 -- Chris J Arges <email address hidden> Mon, 16 Jul 2012 08:39:03 -0500

Changed in nss-pam-ldapd (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.