Re: trouble using pam_authz_search

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: trouble using pam_authz_search
Date: Sat, 04 Jun 2011 23:13:03 +0200

On Fri, 2011-06-03 at 19:28 -0700, Terence Kent wrote:
> First off, sorry for the long post!

No problem. It's good that most information is present.

> I'm trying to use the pam_authz_search example for host based
> authentication without success. I believe my issue is with my pam
> configuration, but I've been unable to find a solution. If I use a
> simple /etc/pam.d/common-account config of:
> 
> account    [success=done new_authtok_reqd=done default=ignore]   pam_unix.so
> account    sufficient   pam_ldap.so minimum_uid=1000
> account    required     pam_deny.so
> 
> I can sign in with all ldap users, and the pam_authz_search string is
> ignored.

The problem with the above stack is that if pam_unix finds shadow
information and says that it is OK, pam_ldap is skipped. To work in this
stack /etc/nsswitch.conf shouldn't let ldap provide shadow information.
From the log below it doesn't seem that shadow information is found in
LDAP though so there could be something else wrong.

You could add the debug option to both pam_unix and pam_ldap and get
more information from syslog.

> I saw from a previous mailing list post by Guilluame, that this is
> expected behavior. However, if I use either of the suggested
> configurations in Arthur in the same thread, nslcd simply segment
> faults during the authentication process.
> 
> Below is the output from an authentication attempt using the
> following /etc/pam.d/common-account config:
> 
> account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
> authinfo_unavail=ignore default=bad]        pam_unix.so
> account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
> authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000
> 
> nslcd -d output:
[...]
> nslcd: [495cff] DEBUG: nslcd_pam_authz("tkent","cn=Terence 
> Kent,ou=people,dc=xetus,dc=com","sshd","","172.16.1.17","ssh")
> Segmentation fault

The handshake seems reasonable but the segmentation fault is a bug
somewhere. Can you provide a backtrace using gdb [1]? Depending on where
the bug is, it may be interesting to have the libldap*-dbg,
libgcrypt*-dbg, libgnutls*-dbg and libc6-dbg packages installed.

A backtrace can be generated with:
  % gdb nslcd -d
  (gdb) r
  [try yo cause the segmentation fault]
  (gdb) thread apply all bt full
  [hit enter a couple of times]

> pam_authz_search 
> (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)))

Note that the $fqdn expansion was only introduced in 0.8.1 so isn't
available yet in 0.7.13. In any case, I would really like to know the
source of the segmentation fault.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

trouble using pam_authz_search, Terence Kent
- Re: trouble using pam_authz_search, Arthur de Jong

Prev by Date: trouble using pam_authz_search
Next by Date: Re: trouble using pam_authz_search
Previous by thread: trouble using pam_authz_search
Next by thread: Re: trouble using pam_authz_search