RSS feed

Re: Ineffective pam_authz_search

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Ineffective pam_authz_search

On Thu, 2014-02-06 at 13:44 +0300, Ксения Юрьевна Блащук wrote:
> But still, user is available to login even if specific $hostname or
> $fqdn is not specified in his LDAP account, so it becomes a security
> issue.
> nslcd -d outputs:
> nslcd: <passwd="mylogin"> DEBUG: myldap_search(base="dc=mydc,dc=mydc", 
> filter="(&(objectClass=posixAccount)(uid=mylogin))")
> I don't see that myldap_search includes 'host' parameter. 

The pam_authz_search option will only be used when the PAM module of
nss-pam-ldapd is also used. The search from above is from a name lookup,
not an authentication (or authorisation) attempt.

An authentication attempt will look something like:
nslcd: [334873] <authc="arthur"> DEBUG: nslcd_pam_authc("arthur","su","***")
nslcd: [495cff] <authz="arthur"> DEBUG: 

Whether the option really takes affect also depends on your PAM
configuration. For example, if you make the hashed password available
through NSS (by default disabled in 0.8) pam_unix will most likely
completely bypass pam_ldap.

Also, some applications (such as SSH when using key-based
authentication) tend to bypass PAM.

Also be sure you are using nss-pam-ldpad's pam_ldap module.

Hope this helps.

-- arthur - - --
To unsubscribe send an email to or see