Ineffective pam_authz_search filter
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nss-pam-ldapd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
No problem logging into server though the filter in nslcd.conf should block access (according to man page)
/etc/nslcd.conf (comments & blank lines removed)
-------
uid nslcd
gid nslcd
uri ldap://raid3.ttinet
base dc=ttinet,dc=local
rootpwmoddn cn=admin,
ssl start_tls
tls_reqcert demand
tls_cacertfile /etc/ssl/
tls_cert /etc/ssl/
tls_key /etc/ssl/
pam_authz_search (&(objectClass=
root@nxpc:~# /etc/init.d/nslcd restart
* Restarting LDAP connection daemon nslcd [ OK ]
root@nxpc:~# /etc/init.d/nscd restart
* Restarting Name Service Cache Daemon nscd [ OK ]
# /etc/init.d/nslcd status
* nslcd running (pid 4643)
# ldapsearch -x '(uid=cwhite)' host
# extended LDIF
#
# LDAPv3
# base <dc=ttinet,
# filter: (uid=cwhite)
# requesting: host
#
# cwhite, people, ttinet.local
dn: uid=cwhite,
host: equinox.ttinet
... snipped ...
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
root@nxpc:~# ldapsearch -x '(uid=cwhite)' host | grep nxpc
root@nxpc:~#
Thus 'host' (neither hostname nor fqdn) cannot be found in ldap. Still have no problem logging in to nxpc
Changed in nss-pam-ldapd (Ubuntu): | |
status: | Confirmed → Invalid |
duh - this info probably would be useful
# cat /etc/lsb-release RELEASE= 12.04 CODENAME= precise DESCRIPTION= "Ubuntu 12.04 LTS"
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
root@nxpc:~# dpkg -l libnss-ldapd libpam-ldapd nslcd Unknown/ Install/ Remove/ Purge/Hold Not/Inst/ Conf-files/ Unpacked/ halF-conf/ Half-inst/ trig-aWait/ Trig-pend /Reinst- required (Status,Err: uppercase=bad) ======= ======= ======= ======= ======= =====-= ======= ======= ======= ======= ======= ======= -====== ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= =====
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Description
+++-===
ii libnss-ldapd 0.8.4 NSS module for using LDAP as a naming service
ii libpam-ldapd 0.8.4 PAM module for using LDAP as an authentication service
ii nslcd 0.8.4 Daemon for NSS and PAM lookups using LDAP