nslcd_pam_authz not being processed
[Date Prev][Date Next] [Thread Prev][Thread Next]nslcd_pam_authz not being processed
- From: Manpreet Singh Nehra <manpreet.nehra [at] lazada.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nslcd_pam_authz not being processed
- Date: Tue, 26 Aug 2014 18:09:42 +0700
|
I know this has been posted before but I couldn't find a solution. Here are details for my problem. Operating System RHEL 6.5 1. nss-pam-ldapd version # rpm -qa |grep nss-pam-ldapd nss-pam-ldapd-0.8.12-rhel6.13.1.x86_64
2. nslcd.conf
# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details.
# The user and group nslcd should run as. uid nslcd gid ldap
# The location at which the LDAP server(s) should be reachable. uri ldaps://example.com # # The search base that will be used for all queries. base dc=example,dc=com
# The LDAP protocol version to use. ldap_version 3
# The DN to bind with for normal lookups. binddn cn=user,ou=users,ou=services,dc=example,dc=com bindpw somepassword
# The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com
# SSL options ssl off tls_reqcert allow tls_cacertfile /etc/ssl/ca.crt # The search scope. #scope sub
map passwd gecos displayName pam_authz_search (|(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))(&(objectClass=posixGroup)(memberUid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))))
3 /etc/pam_ldap.conf base dc=example,dc=com uri ldaps://example.com ssl on tls_cacert /etc/ssl/ca.crt pam_password md5
4 nslcd debug
# nslcd -d nslcd: DEBUG: add_uri(ldaps://example.com) nslcd: DEBUG: add_uri(ldaps://sysoffice.russia) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,3) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/ssl/russia-ca.crt") nslcd: version 0.8.12 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: initgroups("nslcd",55) done nslcd: DEBUG: setgid(55) done nslcd: DEBUG: setuid(65) done nslcd: accepting connections nslcd: [8b4567] DEBUG: connection from pid=17682 uid=0 gid=0 nslcd: [8b4567] <passwd="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=mnehra))") nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_initialize(ldaps://example.com) nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_set_rebind_proc() nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_simple_bind_s("cn=someuser,ou=users,ou=services,dc=example,dc=com","***") (uri="ldaps://example.com") nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [8b4567] <passwd="mnehra"> DEBUG: ldap_result(): end of results (1 total) nslcd: [7b23c6] DEBUG: connection from pid=23118 uid=490 gid=490 nslcd: [7b23c6] <passwd=10001> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uidNumber=10001))") nslcd: [7b23c6] <passwd=10001> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [7b23c6] <passwd=10001> DEBUG: ldap_result(): end of results (1 total) nslcd: [3c9869] DEBUG: connection from pid=23118 uid=490 gid=490 nslcd: [3c9869] <group=10001> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixGroup)(gidNumber=10001))") nslcd: [3c9869] <group=10001> DEBUG: ldap_result(): cn=System Admins,ou=System Admins,ou=People,dc=example,dc=com nslcd: [3c9869] <group=10001> DEBUG: ldap_result(): end of results (1 total) nslcd: [334873] DEBUG: connection from pid=23118 uid=490 gid=490 nslcd: [334873] <passwd=10001> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uidNumber=10001))") nslcd: [334873] <passwd=10001> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [334873] <passwd=10001> DEBUG: ldap_result(): end of results (1 total) nslcd: [b0dc51] DEBUG: connection from pid=23118 uid=490 gid=490 nslcd: [b0dc51] <group=10001> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixGroup)(gidNumber=10001))") nslcd: [b0dc51] <group=10001> DEBUG: ldap_result(): cn=System Admins,ou=System Admins,ou=People,dc=example,dc=com nslcd: [b0dc51] <group=10001> DEBUG: ldap_result(): end of results (1 total) nslcd: [495cff] DEBUG: connection from pid=23118 uid=490 gid=490 nslcd: [495cff] <group=10001> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixGroup)(gidNumber=10001))") nslcd: [495cff] <group=10001> DEBUG: ldap_result(): cn=System Admins,ou=System Admins,ou=People,dc=example,dc=com nslcd: [495cff] <group=10001> DEBUG: ldap_result(): end of results (1 total) nslcd: [e8944a] DEBUG: connection from pid=32056 uid=0 gid=0 nslcd: [e8944a] <passwd="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=mnehra))") nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_initialize(ldaps://example.com) nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_set_rebind_proc() nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_simple_bind_s("cn=someuser,ou=users,ou=services,dc=example,dc=com","***") (uri="ldaps://example.com") nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [e8944a] <passwd="mnehra"> DEBUG: ldap_result(): end of results (1 total) nslcd: [5558ec] DEBUG: connection from pid=32056 uid=0 gid=0 nslcd: [5558ec] <group/member="nobody"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=nobody))") nslcd: [5558ec] <group/member="nobody"> DEBUG: ldap_result(): end of results (0 total) nslcd: [5558ec] <group/member="nobody"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixGroup)(memberUid=nobody))") nslcd: [5558ec] <group/member="nobody"> DEBUG: ldap_result(): end of results (0 total) nslcd: [8e1f29] DEBUG: connection from pid=32056 uid=0 gid=0 nslcd: [8e1f29] <passwd="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=mnehra))") nslcd: [8e1f29] <passwd="mnehra"> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [8e1f29] <passwd="mnehra"> DEBUG: ldap_result(): end of results (1 total) nslcd: [e87ccd] DEBUG: connection from pid=32056 uid=0 gid=0 nslcd: [e87ccd] <passwd="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=mnehra))") nslcd: [e87ccd] <passwd="mnehra"> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [e87ccd] <passwd="mnehra"> DEBUG: ldap_result(): end of results (1 total) nslcd: [1b58ba] DEBUG: connection from pid=32056 uid=0 gid=0 nslcd: [1b58ba] <passwd="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=mnehra))") nslcd: [1b58ba] <passwd="mnehra"> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [1b58ba] <passwd="mnehra"> DEBUG: ldap_result(): end of results (1 total) nslcd: [7ed7ab] DEBUG: connection from pid=32056 uid=0 gid=0 nslcd: [7ed7ab] <passwd="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=mnehra))") nslcd: [7ed7ab] <passwd="mnehra"> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [7ed7ab] <passwd="mnehra"> DEBUG: ldap_result(): end of results (1 total) nslcd: [b141f2] DEBUG: connection from pid=32056 uid=0 gid=0 nslcd: [b141f2] <passwd="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=mnehra))") nslcd: [b141f2] <passwd="mnehra"> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [b141f2] <passwd="mnehra"> DEBUG: ldap_result(): end of results (1 total) nslcd: [b71efb] DEBUG: connection from pid=32056 uid=0 gid=0 nslcd: [b71efb] <passwd="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=mnehra))") nslcd: [b71efb] <passwd="mnehra"> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [b71efb] <passwd="mnehra"> DEBUG: ldap_result(): end of results (1 total) nslcd: [e2a9e3] DEBUG: connection from pid=32064 uid=0 gid=10001 nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=mnehra))") nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_initialize(ldaps://example.com) nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_set_rebind_proc() nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_simple_bind_s("cn=someuser,ou=users,ou=services,dc=example,dc=com","***") (uri="ldaps://example.com") nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixGroup)(|(memberUid=mnehra)(member=cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com)))") nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_result(): cn=System Admins,ou=System Admins,ou=People,dc=example,dc=com nslcd: [e2a9e3] <group/member="mnehra"> DEBUG: ldap_result(): end of results (1 total) nslcd: [45e146] DEBUG: connection from pid=32056 uid=0 gid=0 nslcd: [45e146] <passwd=10001> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uidNumber=10001))") nslcd: [45e146] <passwd=10001> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [45e146] <passwd=10001> DEBUG: ldap_result(): end of results (1 total) nslcd: [5f007c] DEBUG: connection from pid=32056 uid=0 gid=0 nslcd: [5f007c] <passwd="mnehra"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=mnehra))") nslcd: [5f007c] <passwd="mnehra"> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [5f007c] <passwd="mnehra"> DEBUG: ldap_result(): end of results (1 total) nslcd: [d062c2] DEBUG: connection from pid=32066 uid=10001 gid=10001 nslcd: [d062c2] <passwd=10001> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uidNumber=10001))") nslcd: [d062c2] <passwd=10001> DEBUG: ldap_initialize(ldaps://example.com) nslcd: [d062c2] <passwd=10001> DEBUG: ldap_set_rebind_proc() nslcd: [d062c2] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [d062c2] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [d062c2] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [d062c2] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [d062c2] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [d062c2] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [d062c2] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [d062c2] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [d062c2] <passwd=10001> DEBUG: ldap_simple_bind_s("cn=someuser,ou=users,ou=services,dc=example,dc=com","***") (uri="ldaps://example.com") nslcd: [d062c2] <passwd=10001> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [d062c2] <passwd=10001> DEBUG: ldap_result(): end of results (1 total) nslcd: [200854] DEBUG: connection from pid=32068 uid=10001 gid=10001 nslcd: [200854] <passwd=10001> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uidNumber=10001))") nslcd: [200854] <passwd=10001> DEBUG: ldap_initialize(ldaps://example.com) nslcd: [200854] <passwd=10001> DEBUG: ldap_set_rebind_proc() nslcd: [200854] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [200854] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [200854] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [200854] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [200854] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [200854] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [200854] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [200854] <passwd=10001> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [200854] <passwd=10001> DEBUG: ldap_simple_bind_s("cn=someuser,ou=users,ou=services,dc=example,dc=com","***") (uri="ldaps://example.com") nslcd: [200854] <passwd=10001> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [200854] <passwd=10001> DEBUG: ldap_result(): end of results (1 total) nslcd: [b127f8] DEBUG: connection from pid=32082 uid=10001 gid=10001 nslcd: [b127f8] <group=10001> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixGroup)(gidNumber=10001))") nslcd: [b127f8] <group=10001> DEBUG: ldap_result(): cn=System Admins,ou=System Admins,ou=People,dc=example,dc=com nslcd: [b127f8] <group=10001> DEBUG: ldap_result(): end of results (1 total) nslcd: [16231b] DEBUG: connection from pid=32084 uid=10001 gid=10001 nslcd: [16231b] <passwd=10001> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uidNumber=10001))") nslcd: [16231b] <passwd=10001> DEBUG: ldap_result(): cn=mnehra,ou=System Admins,ou=People,dc=example,dc=com nslcd: [16231b] <passwd=10001> DEBUG: ldap_result(): end of results (1 total) ^Cnslcd: caught signal SIGINT (2), shutting down nslcd: DEBUG: ldap_unbind() nslcd: DEBUG: ldap_unbind() nslcd: DEBUG: ldap_unbind() nslcd: DEBUG: ldap_unbind() nslcd: DEBUG: ldap_unbind()
5. /etc/nsswitch.conf passwd: files ldap shadow: files group: files ldap hosts: files dns ethers: files netmasks: files networks: files protocols: files rpc: files services: files ldap netgroup: files ldap automount: files ldap aliases: files nisplus sudoers: ldap files
6. /etc/pam.d/system-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
As you will notice from debug log the pam_authz_search is never called since there is not nslcd_pam_authz statement in entire debug. I have been trying to figure this for past 3-4 months.
How do i make sure the pam_authz_search is always called. Manpreet Singh Nehra |
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- nslcd_pam_authz not being processed, Manpreet Singh Nehra
- Re: nslcd_pam_authz not being processed,
Nalin Dahyabhai
- Re: nslcd_pam_authz not being processed, Manpreet Singh Nehra
- Re: nslcd_pam_authz not being processed, Manpreet Singh Nehra
- Prev by Date: Naming service daemon check is extremely chatty
- Next by Date: Re: nslcd_pam_authz not being processed
- Previous by thread: Re: Naming service daemon check is extremely chatty
- Next by thread: Re: nslcd_pam_authz not being processed