This is the pam config from libpam-ldap, not libpam-ldapd (at least not
0.8.4). If you have ldap as primary you need to disable shadow lookups
to ldap in /etc/nsswitch.conf.
I can't find an upgrade scenario that would leave your config like this.
Did you have libpam-ldap installed before? Can you check if
dpkg-reconfig libpam-ldapd changes /etc/pam.d/common-account and what
the contents of /usr/share/pam-configs/ldap is?
> root@nxpc:~# nslcd -d
> nslcd: accepting connections
> nslcd: [8b4567] DEBUG: connection from pid=20642 uid=0 gid=0
> nslcd: [8b4567] <sess_c="cwhite"> DEBUG: nslcd_pam_sess_c("cwhite","sshd",12345)
> nslcd: [7b23c6] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [7b23c6] <host=10.x.x.x> DEBUG: myldap_search(base="dc=ttinet,dc=local", filter="(&(objectClass=ipHost)(ipHostNumber=10.x.x.x))")
> nslcd: [3c9869] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [3c9869] <shadow="cwhite"> DEBUG: myldap_search(base="dc=ttinet,dc=local", filter="(&(objectClass=shadowAccount)(uid=cwhite))")
> nslcd: [334873] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [334873] <sess_o="cwhite"> DEBUG: nslcd_pam_sess_o("cwhite","sshd","ssh","10.x.x.x","")
>
> the only ip address it seemed to log was the origination ip address (my
> workstation) which I replaced with 10.x.x.x
The host=10.x.x.x lookup is just the reverse hostname lookup that sshd
does on every connection (it doesn't have anything to do with
pam_authz_search). sshd doesn't ask for authentication (I'm assuming you
do key-based authentication here) and skips authorisation (account)
altogether.
If changing /etc/nsswitch.conf or fixing your PAM stack doesn't help,
can you send output of nslcd -d without nscd (or unscd) running?
On Tue, 2012-05-01 at 19:57 +0000, Craig White wrote: *:15245: :::::0 d/common- account reqd=done default=ignore] pam_unix.so
> # getent shadow cwhite
> cwhite:
>
> # cat /etc/pam.
[...]
> account [success=2 new_authtok_
> account [success=1 default=ignore] pam_ldap.so
This is the pam config from libpam-ldap, not libpam-ldapd (at least not
0.8.4). If you have ldap as primary you need to disable shadow lookups
to ldap in /etc/nsswitch.conf.
I can't find an upgrade scenario that would leave your config like this. d/common- account and what pam-configs/ ldap is?
Did you have libpam-ldap installed before? Can you check if
dpkg-reconfig libpam-ldapd changes /etc/pam.
the contents of /usr/share/
> root@nxpc:~# nslcd -d sess_c( "cwhite" ,"sshd" ,12345) search( base="dc= ttinet, dc=local" , filter= "(&(objectClass =ipHost) (ipHostNumber= 10.x.x. x))") search( base="dc= ttinet, dc=local" , filter= "(&(objectClass =shadowAccount) (uid=cwhite) )") sess_o( "cwhite" ,"sshd" ,"ssh", "10.x.x. x","")
> nslcd: accepting connections
> nslcd: [8b4567] DEBUG: connection from pid=20642 uid=0 gid=0
> nslcd: [8b4567] <sess_c="cwhite"> DEBUG: nslcd_pam_
> nslcd: [7b23c6] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [7b23c6] <host=10.x.x.x> DEBUG: myldap_
> nslcd: [3c9869] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [3c9869] <shadow="cwhite"> DEBUG: myldap_
> nslcd: [334873] DEBUG: connection from pid=22634 uid=0 gid=0
> nslcd: [334873] <sess_o="cwhite"> DEBUG: nslcd_pam_
>
> the only ip address it seemed to log was the origination ip address (my
> workstation) which I replaced with 10.x.x.x
The host=10.x.x.x lookup is just the reverse hostname lookup that sshd
does on every connection (it doesn't have anything to do with
pam_authz_search). sshd doesn't ask for authentication (I'm assuming you
do key-based authentication here) and skips authorisation (account)
altogether.
If changing /etc/nsswitch.conf or fixing your PAM stack doesn't help,
can you send output of nslcd -d without nscd (or unscd) running?
-- people. debian. org/~adejong --
-- arthur - <email address hidden> - http://