Ubuntu
nss-pam-ldapd package

Bug #992737
Comment #5

Comment 5 for bug 992737

Revision history for this message

Arthur de Jong (adejong) wrote on 2012-05-02: Re: [Bug 992737] Re: Ineffective pam_authz_search filter

On Tue, 2012-05-01 at 19:57 +0000, Craig White wrote:
> # getent shadow cwhite
> cwhite:*:15245::::::0
>
> # cat /etc/pam.d/common-account
[...]
> account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
> account [success=1 default=ignore] pam_ldap.so

This is the pam config from libpam-ldap, not libpam-ldapd (at least not
0.8.4). If you have ldap as primary you need to disable shadow lookups
to ldap in /etc/nsswitch.conf.

I can't find an upgrade scenario that would leave your config like this.
Did you have libpam-ldap installed before? Can you check if
dpkg-reconfig libpam-ldapd changes /etc/pam.d/common-account and what
the contents of /usr/share/pam-configs/ldap is?

> root@nxpc:~# nslcd -d
> nslcd: accepting connections
> nslcd: [8b4567] DEBUG: connection from pid=20642 uid=0 gid=0
> nslcd: [8b4567] <sess_c="cwhite"> DEBUG: nslcd_pam_sess_c("cwhite","sshd",12345)
> nslcd: [7b23c6] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [7b23c6] <host=10.x.x.x> DEBUG: myldap_search(base="dc=ttinet,dc=local", filter="(&(objectClass=ipHost)(ipHostNumber=10.x.x.x))")
> nslcd: [3c9869] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [3c9869] <shadow="cwhite"> DEBUG: myldap_search(base="dc=ttinet,dc=local", filter="(&(objectClass=shadowAccount)(uid=cwhite))")
> nslcd: [334873] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [334873] <sess_o="cwhite"> DEBUG: nslcd_pam_sess_o("cwhite","sshd","ssh","10.x.x.x","")
>
> the only ip address it seemed to log was the origination ip address (my
> workstation) which I replaced with 10.x.x.x

The host=10.x.x.x lookup is just the reverse hostname lookup that sshd
does on every connection (it doesn't have anything to do with
pam_authz_search). sshd doesn't ask for authentication (I'm assuming you
do key-based authentication here) and skips authorisation (account)
altogether.

If changing /etc/nsswitch.conf or fixing your PAM stack doesn't help,
can you send output of nslcd -d without nscd (or unscd) running?

--
-- arthur - <email address hidden> - http://people.debian.org/~adejong --

On Tue, 2012-05-01 at 19:57 +0000, Craig White wrote:
> # getent shadow cwhite
> cwhite:*:15245::::::0
> 
> # cat /etc/pam.d/common-account 
[...]
> account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 
> account	[success=1 default=ignore]	pam_ldap.so

This is the pam config from libpam-ldap, not libpam-ldapd (at least not
0.8.4). If you have ldap as primary you need to disable shadow lookups
to ldap in /etc/nsswitch.conf.

> root@nxpc:~# nslcd -d
> nslcd: accepting connections
> nslcd: [8b4567] DEBUG: connection from pid=20642 uid=0 gid=0
> nslcd: [8b4567] <sess_c="cwhite"> DEBUG: nslcd_pam_sess_c("cwhite","sshd",12345)
> nslcd: [7b23c6] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [7b23c6] <host=10.x.x.x> DEBUG: myldap_search(base="dc=ttinet,dc=local", filter="(&(objectClass=ipHost)(ipHostNumber=10.x.x.x))")
> nslcd: [3c9869] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [3c9869] <shadow="cwhite"> DEBUG: myldap_search(base="dc=ttinet,dc=local", filter="(&(objectClass=shadowAccount)(uid=cwhite))")
> nslcd: [334873] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [334873] <sess_o="cwhite"> DEBUG: nslcd_pam_sess_o("cwhite","sshd","ssh","10.x.x.x","")
> 
> the only ip address it seemed to log was the origination ip address (my
> workstation) which I replaced with 10.x.x.x

If changing /etc/nsswitch.conf or fixing your PAM stack doesn't help,
can you send output of nslcd -d without nscd (or unscd) running?

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --

Ubuntunss-pam-ldapd package

Comment 5 for bug 992737

Ubuntu
nss-pam-ldapd package