trouble using pam_authz_search

[Date Prev][Date Next] [Thread Prev][Thread Next]
From: Terence Kent <tkent [at] xetus.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: trouble using pam_authz_search
Date: Fri, 3 Jun 2011 19:28:34 -0700
Hello,

First off, sorry for the long post! I'm trying to use the pam_authz_search 
example for host based authentication without success. I believe my issue is 
with my pam configuration, but I've been unable to find a solution. If I use a 
simple /etc/pam.d/common-account config of:

account    [success=done new_authtok_reqd=done default=ignore]   pam_unix.so
account    sufficient   pam_ldap.so minimum_uid=1000
account    required     pam_deny.so

I can sign in with all ldap users, and the pam_authz_search string is ignored. 
I saw from a previous mailing list post by Guilluame, that this is expected 
behavior. However, if I use either of the suggested configurations in Arthur in 
the same thread, nslcd simply segment faults during the authentication process.

Below is the output from an authentication attempt using the following 
/etc/pam.d/common-account config:

account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
authinfo_unavail=ignore default=bad]        pam_unix.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000

nslcd -d output:
nslcd: DEBUG: add_uri(ldaps://ldap1.xetus.com)
nslcd: DEBUG: 
ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/usr/share/ca-certificates/xetus/gnuxetusca.crt")
nslcd: version 0.7.13 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file 
or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(112) done
nslcd: DEBUG: setuid(104) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=6333 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_byname(tkent)
nslcd: [8b4567] DEBUG: myldap_search(base="dc=xetus,dc=com", 
filter="(&(objectClass=posixAccount)(uid=tkent))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldaps://ldap1.xetus.com)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,5)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,5)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,5)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL) 
(uri="ldaps://ldap1.xetus.com")
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=6333 uid=0 gid=0
nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(tkent)
nslcd: [7b23c6] DEBUG: myldap_search(base="dc=xetus,dc=com", 
filter="(&(objectClass=posixAccount)(uid=tkent))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldaps://ldap1.xetus.com)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,5)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,5)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,5)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL) 
(uri="ldaps://ldap1.xetus.com")
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [3c9869] DEBUG: connection from pid=6333 uid=0 gid=0
nslcd: [3c9869] DEBUG: nslcd_pam_authc("tkent","","sshd","***")
nslcd: [3c9869] DEBUG: myldap_search(base="dc=xetus,dc=com", 
filter="(&(objectClass=posixAccount)(uid=tkent))")
nslcd: [3c9869] DEBUG: ldap_initialize(ldaps://ldap1.xetus.com)
nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,5)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,5)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,5)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [3c9869] DEBUG: ldap_simple_bind_s(NULL,NULL) 
(uri="ldaps://ldap1.xetus.com")
nslcd: [3c9869] DEBUG: myldap_search(base="cn=Terence 
Kent,ou=people,dc=xetus,dc=com", filter="(objectClass=posixAccount)")
nslcd: [3c9869] DEBUG: ldap_initialize(ldaps://ldap1.xetus.com)
nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,5)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,5)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,5)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [3c9869] DEBUG: ldap_simple_bind_s("cn=Terence 
Kent,ou=people,dc=xetus,dc=com","***") (uri="ldaps://ldap1.xetus.com")
nslcd: [3c9869] DEBUG: ldap_unbind()
nslcd: [3c9869] DEBUG: bind successful
nslcd: [334873] DEBUG: connection from pid=6333 uid=0 gid=0
nslcd: [334873] DEBUG: nslcd_passwd_byname(tkent)
nslcd: [334873] DEBUG: myldap_search(base="dc=xetus,dc=com", 
filter="(&(objectClass=posixAccount)(uid=tkent))")
nslcd: [334873] DEBUG: ldap_initialize(ldaps://ldap1.xetus.com)
nslcd: [334873] DEBUG: ldap_set_rebind_proc()
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,5)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,5)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,5)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [334873] DEBUG: ldap_simple_bind_s(NULL,NULL) 
(uri="ldaps://ldap1.xetus.com")
nslcd: [334873] DEBUG: ldap_result(): end of results
nslcd: [b0dc51] DEBUG: connection from pid=6333 uid=0 gid=0
nslcd: [b0dc51] DEBUG: nslcd_passwd_byname(tkent)
nslcd: [b0dc51] DEBUG: myldap_search(base="dc=xetus,dc=com", 
filter="(&(objectClass=posixAccount)(uid=tkent))")
nslcd: [b0dc51] DEBUG: ldap_initialize(ldaps://ldap1.xetus.com)
nslcd: [b0dc51] DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,5)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,5)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,5)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] DEBUG: ldap_simple_bind_s(NULL,NULL) 
(uri="ldaps://ldap1.xetus.com")
nslcd: [b0dc51] DEBUG: ldap_result(): end of results
nslcd: [495cff] DEBUG: connection from pid=6333 uid=0 gid=0
nslcd: [495cff] DEBUG: nslcd_pam_authz("tkent","cn=Terence 
Kent,ou=people,dc=xetus,dc=com","sshd","","172.16.1.17","ssh")
Segmentation fault



More details about my set up:

I'm using Ubuntu 10.04 server and nslcd/libnss-ldapd/libpam-ldapd version 
0.7.13 (I ran into the SSL connection bug in the supported version, 0.7.2, so I 
had to upgrade).

/etc/nslcd.conf:

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The base to search beneath
base dc=xetus,dc=com

# Connection related stuff
uri ldaps://ldap1.xetus.com
ssl on
tls_cacertfile /usr/share/ca-certificates/xetus/gnuxetusca.crt

# The LDAP protocol version to use.
ldap_version 3

# Policy information. Keep the time limits low to avoid huge hanges when ldap 
is down
timelimit 5
bind_timelimit 5

# This is not supported until version 0.7.4, which is another reason we need to 
intall 0.7.13
pam_authz_search 
(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)))

Thanks in advance!
Terence


-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
trouble using pam_authz_search, Terence Kent
Re: trouble using pam_authz_search, Arthur de Jong
- Re: trouble using pam_authz_search, Terence Kent
  - Re: trouble using pam_authz_search, Arthur de Jong
    - Re: trouble using pam_authz_search, Terence Kent
Prev by Date: Re: Problem with PAM. ldap and su -
Next by Date: Re: trouble using pam_authz_search
Previous by thread: Re: Setting up authentication on a non-public LDAP directory
Next by thread: Re: trouble using pam_authz_search