pam_ldap + no_warn + pam_authz_search = issue?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Lawrence Stewart <lstewart [at] room52.net>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: pam_ldap + no_warn + pam_authz_search = issue?
Date: Fri, 26 Oct 2012 18:07:32 +1100

Hi,

I decided to take nss-pam-ldapd for a spin to replace my usual padl
nss_ldap/pam_ldap set up. I spent ages trying to get pam_authz_search
working until finally I realised my sshd pam.d config for pam_ldap had a
residual no_warn from my padl pam_ldap set up. After removing the
no_warn, everything started working.

Prior to removing no_warn, I would be able to login successfully and see
this in my auth.log:

Oct 26 16:12:10 newtcphub sshd[14836]: LDAP authorisation check failed;
user=lstewart
Oct 26 16:12:10 newtcphub sshd[14834]: Accepted keyboard-interactive/pam
for lstewart from X.X.X.X port 10588 ssh2


The pam_ldap man page describes the no_warn option like so:

  no_warn
    Specifies that warning messages should not be propagated
    to the PAM application.

I interpret "warning messages" to be stderr-type text messages, but
apparently no_warn also affects the actual return codes the module
passes back to PAM, in turn causing the module to be ignored in my PAM
stack.

Is having the no_warn option with a pam_ldap.so account entry expected
to make that entry effectively a nop as far as the PAM stack is
concerned? If it is, then expanding the no_warn related documentation
would be good to make this behaviour much more obvious. If it is not, is
this a bug? If it's a bug, is the bug in FreeBSD's PAM implementation or
in pam_ldap.so?

Details about the system in question are below.

Cheers,
Lawrence


root@newtcphub:/root # uname -a
FreeBSD newtcphub 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #2 r242028: Thu
Oct 25 13:38:48 EST 2012     root@newtcphub:/usr/obj/usr/src/sys/GENERIC
 amd64

root@newtcphub:/root # pkg info -x nss-pam-ldap
nss-pam-ldapd-0.8.10           Advanced fork of nss_ldap


root@newtcphub:/root # grep account /etc/pam.d/sshd
# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so
account         required        pam_unix.so

root@newtcphub:/root # cat /usr/local/etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://X.X.X.X
base dc=blah
ssl start_tls
tls_reqcert allow
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=$fqdn))
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

pam_ldap + no_warn + pam_authz_search = issue?, Lawrence Stewart

Re: pam_ldap + no_warn + pam_authz_search = issue?, Arthur de Jong
- Re: pam_ldap + no_warn + pam_authz_search = issue?, Lawrence Stewart
  - Re: pam_ldap + no_warn + pam_authz_search = issue?, Arthur de Jong

Prev by Date: Re: nss-pam-ldapd 0.8.11 integration issue with slapd/nssov on Solaris 10
Next by Date: Re: pam_ldap + no_warn + pam_authz_search = issue?
Previous by thread: Re: nss-pam-ldapd 0.8.11 integration issue with slapd/nssov on Solaris 10
Next by thread: Re: pam_ldap + no_warn + pam_authz_search = issue?