RSS feed

Re: trouble using pam_authz_search

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: trouble using pam_authz_search

On Fri, 2011-06-03 at 19:28 -0700, Terence Kent wrote:
> First off, sorry for the long post!

No problem. It's good that most information is present.

> I'm trying to use the pam_authz_search example for host based
> authentication without success. I believe my issue is with my pam
> configuration, but I've been unable to find a solution. If I use a
> simple /etc/pam.d/common-account config of:
> account    [success=done new_authtok_reqd=done default=ignore]
> account    sufficient minimum_uid=1000
> account    required
> I can sign in with all ldap users, and the pam_authz_search string is
> ignored.

The problem with the above stack is that if pam_unix finds shadow
information and says that it is OK, pam_ldap is skipped. To work in this
stack /etc/nsswitch.conf shouldn't let ldap provide shadow information.
From the log below it doesn't seem that shadow information is found in
LDAP though so there could be something else wrong.

You could add the debug option to both pam_unix and pam_ldap and get
more information from syslog.

> I saw from a previous mailing list post by Guilluame, that this is
> expected behavior. However, if I use either of the suggested
> configurations in Arthur in the same thread, nslcd simply segment
> faults during the authentication process.
> Below is the output from an authentication attempt using the
> following /etc/pam.d/common-account config:
> account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
> authinfo_unavail=ignore default=bad]
> account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
> authinfo_unavail=ignore default=bad] minimum_uid=1000
> nslcd -d output:
> nslcd: [495cff] DEBUG: nslcd_pam_authz("tkent","cn=Terence 
> Kent,ou=people,dc=xetus,dc=com","sshd","","","ssh")
> Segmentation fault

The handshake seems reasonable but the segmentation fault is a bug
somewhere. Can you provide a backtrace using gdb [1]? Depending on where
the bug is, it may be interesting to have the libldap*-dbg,
libgcrypt*-dbg, libgnutls*-dbg and libc6-dbg packages installed.

A backtrace can be generated with:
  % gdb nslcd -d
  (gdb) r
  [try yo cause the segmentation fault]
  (gdb) thread apply all bt full
  [hit enter a couple of times]

> pam_authz_search 
> (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)))

Note that the $fqdn expansion was only introduced in 0.8.1 so isn't
available yet in 0.7.13. In any case, I would really like to know the
source of the segmentation fault.

-- arthur - - --
To unsubscribe send an email to or see