Re: Problem with PAM. ldap and su -

[Date Prev][Date Next] [Thread Prev][Thread Next]
From: "Teichert, Robert" <Robert.Teichert [at] universa.de>
To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: Problem with PAM. ldap and su -
Date: Mon, 6 Jun 2011 08:20:52 +0000
Hello

> I think the PAM stack ignores the result of pam_ldap. Can you provide your 
> PAM authorisation (account) configuration? 
> The "LDAP authorisation check failed" is the message that is the shown when 
> the 
> pam_authz_search provides no matches.

Here is the PAM Config concerning the account:
 
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
account [success=ok user_unknown=ignore default=bad]    pam_ldap.so 
minimum_uid=1000

> If UserC doesn't exist in LDAP the authorisation search shouldn't be 
> performed and the PAM module should return USER_UNKNOWN.
>
> Depending on your PAM stack you could use the ignore_unknown_user and/or 
> minimum_uid options to change how users are handled.
>
> Without more information on your PAM stack and any nslcd (debugging) output 
> it is hard to say more.

Here 2 Debugs.

the first from UserB (no local acc, ldap acc but no valid host entry for this 
host = worst case)

nslcd: DEBUG: add_uri(ldaps://ldap)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,2)
nslcd: DEBUG: 
ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/ssl/certs/im-rsn-syCA.pem")
nslcd: version 0.7.6 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file 
or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(124) done
nslcd: DEBUG: setuid(113) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=25603 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_byuid(-1)
nslcd: [8b4567] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uidNumber=-1))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldaps://ldap)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap")
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=25603 uid=0 gid=0
nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(kerler)
nslcd: [7b23c6] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uv-userName=kerler))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldaps://ldap)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap")
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [3c9869] DEBUG: connection from pid=25603 uid=0 gid=0
nslcd: [3c9869] DEBUG: nslcd_passwd_byname(kerler)
nslcd: [3c9869] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uv-userName=kerler))")
nslcd: [3c9869] DEBUG: ldap_initialize(ldaps://ldap)
nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [3c9869] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap")
nslcd: [3c9869] DEBUG: ldap_result(): end of results
nslcd: [334873] DEBUG: connection from pid=25603 uid=0 gid=0
nslcd: [334873] DEBUG: nslcd_passwd_byname(kerler)
nslcd: [334873] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uv-userName=kerler))")
nslcd: [334873] DEBUG: ldap_initialize(ldaps://ldap)
nslcd: [334873] DEBUG: ldap_set_rebind_proc()
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [334873] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap")
nslcd: [334873] DEBUG: ldap_result(): end of results
nslcd: [b0dc51] DEBUG: connection from pid=25603 uid=0 gid=0
nslcd: [b0dc51] DEBUG: nslcd_pam_authz("kerler","","su","root","","/dev/pts/1")
nslcd: [b0dc51] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uv-userName=kerler))")
nslcd: [b0dc51] DEBUG: ldap_initialize(ldaps://ldap)
nslcd: [b0dc51] DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap")
nslcd: [b0dc51] DEBUG: trying pam_authz_search 
"(&(uv-userName=kerler)(uv-loginAllowed=true)(|(host=vmteichert)(host=\*)))"
nslcd: [b0dc51] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(uv-userName=kerler)(uv-loginAllowed=true)(|(host=vmteichert)(host=\*)))")
nslcd: [b0dc51] DEBUG: ldap_result(): end of results
nslcd: [b0dc51] pam_authz_search 
"(&(uv-userName=kerler)(uv-loginAllowed=true)(|(host=vmteichert)(host=\*)))" 
found no matches
nslcd: [495cff] DEBUG: connection from pid=25603 uid=0 gid=1030
nslcd: [495cff] DEBUG: nslcd_group_bymember(kerler)
nslcd: [495cff] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uv-userName=kerler))")
nslcd: [495cff] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixGroup)(|(memberUid=kerler)(uniqueMember=cn=kerler,cn=users,cn=accounts,cn=linux,o=company,c=de)))")
nslcd: [495cff] DEBUG: ldap_result(): end of results
nslcd: [e8944a] DEBUG: connection from pid=25603 uid=0 gid=1030
nslcd: [e8944a] DEBUG: nslcd_passwd_byname(kerler)
nslcd: [e8944a] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uv-userName=kerler))")
nslcd: [e8944a] DEBUG: ldap_result(): end of results
nslcd: [5558ec] DEBUG: connection from pid=25603 uid=0 gid=1030
nslcd: [5558ec] DEBUG: nslcd_passwd_byname(kerler)
nslcd: [5558ec] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uv-userName=kerler))")
nslcd: [5558ec] DEBUG: ldap_result(): end of results
nslcd: [8e1f29] DEBUG: connection from pid=25603 uid=0 gid=1030
nslcd: [8e1f29] DEBUG: nslcd_passwd_byname(kerler)
nslcd: [8e1f29] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uv-userName=kerler))")
nslcd: [8e1f29] DEBUG: ldap_result(): end of results
nslcd: [e87ccd] DEBUG: connection from pid=25603 uid=0 gid=1030
nslcd: [e87ccd] DEBUG: nslcd_pam_sess_o("kerler","","su","/dev/pts/1","","root")
nslcd: [1b58ba] DEBUG: connection from pid=25604 uid=1030 gid=1030
nslcd: [1b58ba] DEBUG: nslcd_passwd_byuid(1030)
nslcd: [1b58ba] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uidNumber=1030))")
nslcd: [1b58ba] DEBUG: ldap_result(): end of results
nslcd: [7ed7ab] DEBUG: connection from pid=25631 uid=1030 gid=1030
nslcd: [7ed7ab] DEBUG: nslcd_passwd_byuid(1030)
nslcd: [7ed7ab] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uidNumber=1030))")
nslcd: [7ed7ab] DEBUG: ldap_result(): end of results
nslcd: [b141f2] DEBUG: connection from pid=25631 uid=1030 gid=1030
nslcd: [b141f2] DEBUG: nslcd_group_bygid(1030)
nslcd: [b141f2] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixGroup)(gidNumber=1030))")
nslcd: [b141f2] DEBUG: ldap_result(): end of results
nslcd: [b71efb] DEBUG: connection from pid=25631 uid=1030 gid=1030
nslcd: [b71efb] DEBUG: nslcd_group_bygid(64969)
nslcd: [b71efb] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixGroup)(gidNumber=64969))")
nslcd: [b71efb] DEBUG: ldap_result(): end of results
nslcd: [e2a9e3] DEBUG: connection from pid=25631 uid=1030 gid=1030
nslcd: [e2a9e3] DEBUG: nslcd_group_bygid(64969)
nslcd: [e2a9e3] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixGroup)(gidNumber=64969))")
nslcd: [e2a9e3] DEBUG: ldap_result(): end of results
nslcd: [45e146] DEBUG: connection from pid=25631 uid=1030 gid=1030
nslcd: [45e146] DEBUG: nslcd_group_bygid(64969)
nslcd: [45e146] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixGroup)(gidNumber=64969))")
nslcd: [45e146] DEBUG: ldap_result(): end of results
nslcd: [5f007c] DEBUG: connection from pid=25631 uid=1030 gid=1030
nslcd: [5f007c] DEBUG: nslcd_group_bygid(64969)
nslcd: [5f007c] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixGroup)(gidNumber=64969))")
nslcd: [5f007c] DEBUG: ldap_result(): end of results
nslcd: [d062c2] DEBUG: connection from pid=25631 uid=1030 gid=1030
nslcd: [d062c2] DEBUG: nslcd_group_bygid(64969)
nslcd: [d062c2] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixGroup)(gidNumber=64969))")
nslcd: [d062c2] DEBUG: ldap_result(): end of results
nslcd: [200854] DEBUG: connection from pid=25631 uid=1030 gid=1030
nslcd: [200854] DEBUG: nslcd_group_bygid(64969)
nslcd: [200854] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixGroup)(gidNumber=64969))")
nslcd: [200854] DEBUG: ldap_result(): end of results
nslcd: [b127f8] DEBUG: connection from pid=25603 uid=1030 gid=1030
nslcd: [b127f8] DEBUG: nslcd_pam_sess_c("kerler","","su",12345)
^Cnslcd: [45e146] DEBUG: ldap_unbind()
nslcd: [b127f8] DEBUG: ldap_unbind()
nslcd: [5f007c] DEBUG: ldap_unbind()
nslcd: [d062c2] DEBUG: ldap_unbind()
nslcd: [200854] DEBUG: ldap_unbind()
nslcd: caught signal SIGINT (2), shutting down
nslcd: version 0.7.6 bailing out


Now the Debug from UserC (local account, no ldap acc):

nslcd: DEBUG: add_uri(ldaps://ldap)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,2)
nslcd: DEBUG: 
ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/ssl/certs/im-rsn-syCA.pem")
nslcd: version 0.7.6 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file 
or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(124) done
nslcd: DEBUG: setuid(113) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=25655 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_byuid(-1)
nslcd: [8b4567] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uidNumber=-1))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldaps://ldap)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap")
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=25655 uid=0 gid=0
nslcd: [7b23c6] DEBUG: nslcd_pam_authz("bla","","su","root","","/dev/pts/1")
nslcd: [7b23c6] DEBUG: myldap_search(base="o=company,c=de", 
filter="(&(objectClass=uv-posixAccount)(uv-userName=bla))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldaps://ldap)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap")
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] "bla": user not found
nslcd: [3c9869] DEBUG: connection from pid=25655 uid=0 gid=2770
nslcd: [334873] DEBUG: connection from pid=25655 uid=0 gid=2770
nslcd: [334873] DEBUG: nslcd_pam_sess_o("bla","","su","/dev/pts/1","","root")
^Cnslcd: [7b23c6] DEBUG: ldap_unbind()
nslcd: [8b4567] DEBUG: ldap_unbind()
nslcd: caught signal SIGINT (2), shutting down
nslcd: version 0.7.6 bailing out


Thank you,
Robert



***********
Hinweis zur Datensicherheit
Die Datenübertragung über das Internet erfolgt derzeit im Wesentlichen 
ungesichert. Die Vertraulichkeit sensibler, personenbezogener Daten gegenüber 
Dritten ist nicht gewährleistet. Es ist nicht ausgeschlossen, dass übermittelte 
Daten von Unbefugten zur Kenntnis genommen und eventuell sogar verfälscht 
werden. Falls Sie uns Informationen mit vertraulichem Inhalt und/oder 
personenbezogenen, sensiblen Daten per E-Mail zusenden wollen, empfehlen wir 
Ihnen, diese zu verschlüsseln. Bitte setzen Sie sich bzgl. der geeigneten 
Kryptotechnik mit uns in Verbindung. Wenn Sie Informationen unverschlüsselt per 
E-Mail an uns senden, erklären Sie sich mit der unverschlüsselten Beantwortung 
per E-Mail durch uns einverstanden. Falls Sie dies nicht wünschen, teilen Sie 
uns dies bitte mit. Sie erhalten die von Ihnen gewünschten Informationen dann 
auch gerne per Post oder Telefax übermittelt.

Hinweis zu Vertraulich- und Rechtsverbindlichkeit
Der Inhalt des erhaltenen E-Mails ist vertraulich zu behandeln und 
ausschließlich für den bezeichneten Adressaten bzw. dessen Vertreter bestimmt. 
Sollten Sie nicht der für unsere Nachricht vorgesehene Empfänger sein, so 
bitten wir Sie, sich mit dem Absender dieser E-Mail unverzüglich in Verbindung 
zu setzen, die empfangene E-Mail nebst etwaiger Anlagen aus Ihrem System zu 
löschen sowie ggf. existierende Ausdrucke zu vernichten. Wir machen darauf 
aufmerksam, dass der Inhalt dieser E-Mail nicht rechtsverbindlich ist, da über 
das Internet erstellte E-Mails leicht manipuliert oder unter falscher 
Absenderkennung erstellt werden können. Eine rechtsverbindliche Bestätigung 
erhalten Sie gerne auf Anfrage in schriftlicher Form. Eine Veröffentlichung, 
Vervielfältigung oder Weiterleitung des Inhaltes dieser E-Mail ist nur nach 
unserer vorherigen schriftlichen Einwilligung gestattet.
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
Problem with PAM. ldap and su -, Teichert, Robert
- Re: Problem with PAM. ldap and su -, Arthur de Jong
  - Re: Problem with PAM. ldap and su -, Teichert, Robert
Prev by Date: Re: trouble using pam_authz_search
Next by Date: nss-pam-ldapd en Red Hat 4.5
Previous by thread: Re: Problem with PAM. ldap and su -
Next by thread: Re: Problem with PAM. ldap and su -