RSS feed

pam_ldap + no_warn + pam_authz_search = issue?

[Date Prev][Date Next] [Thread Prev][Thread Next]

pam_ldap + no_warn + pam_authz_search = issue?


I decided to take nss-pam-ldapd for a spin to replace my usual padl
nss_ldap/pam_ldap set up. I spent ages trying to get pam_authz_search
working until finally I realised my sshd pam.d config for pam_ldap had a
residual no_warn from my padl pam_ldap set up. After removing the
no_warn, everything started working.

Prior to removing no_warn, I would be able to login successfully and see
this in my auth.log:

Oct 26 16:12:10 newtcphub sshd[14836]: LDAP authorisation check failed;
Oct 26 16:12:10 newtcphub sshd[14834]: Accepted keyboard-interactive/pam
for lstewart from X.X.X.X port 10588 ssh2

The pam_ldap man page describes the no_warn option like so:

    Specifies that warning messages should not be propagated
    to the PAM application.

I interpret "warning messages" to be stderr-type text messages, but
apparently no_warn also affects the actual return codes the module
passes back to PAM, in turn causing the module to be ignored in my PAM

Is having the no_warn option with a account entry expected
to make that entry effectively a nop as far as the PAM stack is
concerned? If it is, then expanding the no_warn related documentation
would be good to make this behaviour much more obvious. If it is not, is
this a bug? If it's a bug, is the bug in FreeBSD's PAM implementation or

Details about the system in question are below.


root@newtcphub:/root # uname -a
FreeBSD newtcphub 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #2 r242028: Thu
Oct 25 13:38:48 EST 2012     root@newtcphub:/usr/obj/usr/src/sys/GENERIC

root@newtcphub:/root # pkg info -x nss-pam-ldap
nss-pam-ldapd-0.8.10           Advanced fork of nss_ldap

root@newtcphub:/root # grep account /etc/pam.d/sshd
# account
account         required
#account        required
account         required
account         sufficient      /usr/local/lib/
account         required

root@newtcphub:/root # cat /usr/local/etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://X.X.X.X
base dc=blah
ssl start_tls
tls_reqcert allow
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=$fqdn))
To unsubscribe send an email to or see