How to avoid unnecessary LDAP operations?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Dominique Petitpierre <Dominique.Petitpierre [at] unige.ch>
To: <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: How to avoid unnecessary LDAP operations?
Date: Tue, 25 Mar 2014 12:44:45 +0100

Hello,

Is there a way to avoid some unnecessary LDAP operations generated by
nslcd in the following setting?

The system is configured only for pam_ldap (no LDAP name service):
that is, for non system users, /etc/passwd contains all the
information about uid, uidnumber, gecos etc. and there is no password
in /etc/shadow; it serves as the authorisation file (only accounts in
/etc/passwd may login to the system); pam_ldap is configured so as to
send the clear text password (in a SSL connection) to the LDAP server
to be verified by the LDAP server (BIND operation).
(See configuration files in annexes below).

Currently this configuration works but generates LDAP operations that
are not necessary for the strict purpose which is a) find the user dn
from the provided login name then b) check the password via a BIND
(see LDAP server log extract in attachment), namely:

1) (Ref: conn=1954208 op=1 msgId=2) The search for the dn asks for
   attributes uid and uidNumber. It is not necessary and no attribute
   should be requested (by specifying oid "1.1").

2) (Ref: conn=1954209 op=1 msgId=2) After the BIND that checks the
    password in a second connection a search is performed to obtain
    the same dn that was used for the BIND.  This search is useless
    because we know the dn exists since the BIND succeeded.

3) (Ref: conn=1954208 op=2 msgId=3) Once the password checked, a
   search for ShadowAccount attributes is performed in the first
   connection.  This is not necessary because there is already all the
   information in the /etc/shadow file (remember: no LDAP name
   service) and the password hash is not retrieved from LDAP to be
   checked locally.  Besides this info is dummy because password
   expiration etc. is not handled at the Unix level but in a central
   system of which the LDAP server is part.

4) (Refs: conn=1954209 op=2 msgId=3, conn=1954208 op=3 msgId=4) Both
   connections issue an ABANDON operation eventhough they got a result
   from the previous SEARCH request.  This would be necessary only in
   the case where the search would not return a result before a
   timeout on the client side. Since this is clearly not the case here
   (NOTFOUND indicates that there is nothing current to abandon), no
   ABANDON operation should have been issued.

5) (Ref: conn=1954209 op=3 msgId=4) The connection used to check the
   password is closed (UNBIND).  This is expensive (overhead to
   restart a TCP connection and, in this case, a SSL negociation
   involving lots of crypto) and not necessary: it can stay open until
   the next BIND for the next user login (i.e. that connection can
   also be part of the permanent connections of the pool albeit only
   usable for checking passwords with BIND operations). (cf. "Your
   application can hold onto a connection but change the
   authentication credentials by using the bind operation again." in

https://blogs.oracle.com/marginNotes/entry/ldap_client_application_development
http://webcache.googleusercontent.com/search?q=cache:w2tyrnfdP6cJ:www.ldapguru.info/ldap/authentication-best-practices.html

- Is there a way to modify the configurations of nslcd or PAM that
  would avoid these unnecessary operations?

- The last point (5) is more like a feature request: It would be nice
  if one could configure if password checks are done in a permanent
  connection or not.


Thanks in adavnce for your help!



Annexes: context and configurations

Context:
OS: Debian Linux jessie
nslcd: 0.8.13-3

/etc/nsswitch.conf :
passwd:         files
group:          files
shadow:         files
...

/etc/pam.d/common-auth :
auth    [success=1 default=ignore]      pam_succeed_if.so quiet uid > 1001
auth    [success=2 default=die] pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

/etc/nslcd.conf :
uid nslcd
gid nslcd
uri ldaps://people.unige.ch
base ou=People,dc=unige,dc=ch

binddn cn=Artemis authenticationagent,ou=CHIFI,ou=Applications,dc=unige,dc=ch

bindpw secret
ssl on
tls_cacertfile  /etc/ssl/certs/unige_ldap_ca.pem
scope one

grep testuser /etc/passwd /etc/shadow
/etc/passwd:testuser:x:183515:183515:testuser:/home/testuser:/bin/bash
/etc/shadow:testuser:*:16149:0:99999:7:::


Mr Dominique Petitpierre, user=Dominique.Petitpierre domain=unige.ch
IT Division, University of Geneva, Switzerland

[22/Mar/2014:10:56:10 +0100] conn=1954208 op=-1 msgId=-1 - fd=116 slot=116 
LDAPS connection from 192.168.54.210:46999 to 10.13.9.10
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=-1 msgId=-1 - SSL 128-bit RC4
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=0 msgId=1 - BIND 
dn="cn=authentication agent,ou=Unix,ou=Applications,dc=example,dc=com" 
method=128 version=3
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=0 msgId=1 - RESULT err=0 tag=97 
nentries=0 etime=0 dn="cn=authentication 
agent,ou=Unix,ou=applications,dc=example,dc=com"
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=1 msgId=2 - SRCH 
base="ou=people,dc=example,dc=com" scope=2 
filter="(&(objectClass=posixAccount)(uid=testuser))" attrs="uid uidNumber"
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=1 msgId=2 - RESULT err=0 tag=101 
nentries=1 etime=0
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=-1 msgId=-1 - fd=118 slot=118 
LDAPS connection from 192.168.54.210:47000 to 10.13.9.10
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=-1 msgId=-1 - SSL 128-bit RC4
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=0 msgId=1 - BIND 
dn="employeeNumber=530149,ou=people,dc=example,dc=com" method=128 version=3
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=0 msgId=1 - RESULT err=0 tag=97 
nentries=0 etime=0 dn="employeenumber=530149,ou=people,dc=example,dc=com"
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=1 msgId=2 - SRCH 
base="employeenumber=530149,ou=people,dc=example,dc=com" scope=0 
filter="(objectClass=*)" attrs="dn"
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=1 msgId=2 - RESULT err=0 tag=101 
nentries=1 etime=0
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=2 msgId=3 - ABANDON 
targetop=NOTFOUND msgid=2
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=3 msgId=4 - UNBIND
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=3 msgId=-1 - closing from 
192.168.54.210:47000 - U1 - Connection closed by unbind client -
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=2 msgId=3 - SRCH 
base="ou=people,dc=example,dc=com" scope=2 
filter="(&(objectClass=shadowAccount)(uid=testuser))" attrs="shadowExpire 
shadowInactive shadowFlag shadowWarning shadowLastChange uid shadowMin 
shadowMax"
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=-1 msgId=-1 - closed.
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=2 msgId=3 - RESULT err=0 tag=101 
nentries=1 etime=0
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=3 msgId=4 - ABANDON 
targetop=NOTFOUND msgid=3

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

How to avoid unnecessary LDAP operations?, Dominique Petitpierre

Re: How to avoid unnecessary LDAP operations?, Arthur de Jong
- Re: How to avoid unnecessary LDAP operations?, Dominique Petitpierre

Prev by Date: Re: authentication puzzle
Next by Date: Re: How to avoid unnecessary LDAP operations?
Previous by thread: Re: Object class mapping
Next by thread: Re: How to avoid unnecessary LDAP operations?