Re: Preventing NSS from querying LDAP for system users

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Ryan Steele <ryans [at] aweber.com>
To: Arthur de Jong <arthur [at] arthurdejong.org>, nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Preventing NSS from querying LDAP for system users
Date: Sun, 14 Mar 2010 19:51:07 -0400

Hey Arthur,

Arthur de Jong wrote:
> Anyway, attached is a patch (against svn but not yet in svn) that
> implements this option. Testing and feedback is welcome. There is one
> known issue (that I'm going to ignore) is that username comparison is
> case insensitive. So if you add a joe to nss_initgroups_ignoreusers and
> have a Joe LDAP user, lookups for Joe would not return any LDAP groups.
> 
> Note that a special value ALLLOCAL was introduced. This adds all
> non-LDAP users to this list (suggestions for a better name are welcome).

I noticed that when credentials are provided during the sudo process, the 
function nslcd_group_byname is being called
with a parameter I don't understand.  Instead of calling it with the group 
corresponding to the user that
nslcd_passwd_byname is being passed (i.e., the user invoking sudo), it seems to 
call it with the binddn specified in
nslcd.conf.  This obviously will never work if the LDAP server is disconnected. 
 Shouldn't nslcd_group_byname be called
with the primary gid of the user invoking sudo?  I could cache the negative 
FWIW, here is a copy of the nslcd output
when credentials are provided to sudo, the relevant output from slapd for the 
same time period, and relevant parts of
nslcd.conf:

## nslcd.conf
uri ldap://localhost:389
base dc=example,dc=com
ldap_version 3
binddn cn=nslcdbind,dc=example,dc=com
bindpw SECRET
timelimit 3
bind_timelimit 2
reconnect_maxsleeptime 5
nss_initgroups_ignoreusers ALLLOCAL
<...snip tls stuff...>


## nslcd output
nslcd: [04823e] DEBUG: connection from pid=10760 uid=0 gid=2040
nslcd: [04823e] DEBUG: nslcd_passwd_byname(ryans)
nslcd: [04823e] DEBUG: myldap_search(base="dc=example,dc=com", 
filter="(&(objectClass=posixAccount)(uid=ryans))")
nslcd: [04823e] DEBUG: ldap_result(): end of results
nslcd: [465f01] DEBUG: connection from pid=10760 uid=0 gid=2040
nslcd: [465f01] DEBUG: nslcd_passwd_byname(ryans)
nslcd: [465f01] DEBUG: myldap_search(base="dc=example,dc=com", 
filter="(&(objectClass=posixAccount)(uid=ryans))")
nslcd: [465f01] DEBUG: ldap_result(): end of results
nslcd: [24c67e] DEBUG: connection from pid=10760 uid=0 gid=2040
nslcd: [24c67e] DEBUG: nslcd_pam_authc("ryans","","sudo","***")
nslcd: [24c67e] DEBUG: myldap_search(base="dc=example,dc=com", 
filter="(&(objectClass=posixAccount)(uid=ryans))")
nslcd: [24c67e] DEBUG: ldap_initialize(ldap://localhost:389)
nslcd: [24c67e] DEBUG: ldap_set_rebind_proc()
nslcd: [24c67e] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [24c67e] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [24c67e] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,3)
nslcd: [24c67e] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,3)
nslcd: [24c67e] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,3)
nslcd: [24c67e] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [24c67e] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [24c67e] DEBUG: ldap_start_tls_s()
nslcd: [24c67e] DEBUG: 
ldap_simple_bind_s("uid=ryans,ou=Users,dc=example,dc=com","*****") 
(uri="ldap://localhost:389")
nslcd: [24c67e] connected to LDAP server ldap://localhost:389
nslcd: [24c67e] DEBUG: 
myldap_search(base="uid=ryans,ou=Users,dc=example,dc=com", 
filter="(objectClass=posixAccount)")
nslcd: [24c67e] DEBUG: ldap_unbind()
nslcd: [482a97] DEBUG: connection from pid=10760 uid=0 gid=2040
nslcd: [482a97] DEBUG: nslcd_passwd_byname(ryans)
nslcd: [482a97] DEBUG: myldap_search(base="dc=example,dc=com", 
filter="(&(objectClass=posixAccount)(uid=ryans))")
nslcd: [482a97] DEBUG: ldap_result(): end of results
nslcd: [63b9ea] DEBUG: connection from pid=10760 uid=0 gid=2040
nslcd: [63b9ea] DEBUG: nslcd_group_byname(admin)
nslcd: [63b9ea] DEBUG: myldap_search(base="dc=example,dc=com", 
filter="(&(objectClass=posixGroup)(cn=nslcdbind))")
nslcd: [63b9ea] DEBUG: ldap_result(): end of results
nslcd: [884adc] DEBUG: connection from pid=10760 uid=0 gid=2040
nslcd: [884adc] DEBUG: 
nslcd_pam_sess_o("","","sudo","/dev/pts/0","localhost","ryans")
nslcd: [ead36b] DEBUG: connection from pid=10760 uid=0 gid=2040
nslcd: [ead36b] DEBUG: nslcd_pam_sess_c("","","sudo",12345)

## slapd output
SRCH "dc=example,dc=com" 2 0    0 3 0
conn=16 op=3 SRCH base="dc=example,dc=com" scope=2 deref=0 
filter="(&(objectClass=posixAccount)(uid=ryans))"
conn=16 op=3 SRCH attr=userPassword cn gidNumber uidNumber loginShell 
objectClass gecos uid homeDirectory
query template of incoming query = (&(objectClass=)(uid=))
QUERY ANSWERABLE
SRCH "dc=example,dc=com" 2 0    0 3 0
conn=13 op=4 SRCH base="dc=example,dc=com" scope=2 deref=0 
filter="(&(objectClass=posixGroup)(cn=admin))"
conn=13 op=4 SRCH attr=cn userPassword memberUid gidNumber uniqueMember
query template of incoming query = (&(objectClass=)(cn=))
QUERY NOT ANSWERABLE
QUERY CACHEABLE
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

Re: Preventing NSS from querying LDAP for system users, (continued)

Prev by Date: Re: Preventing NSS from querying LDAP for system users
Next by Date: Re: Preventing NSS from querying LDAP for system users
Previous by thread: Re: Preventing NSS from querying LDAP for system users
Next by thread: Re: Preventing NSS from querying LDAP for system users