RSS feed

How to avoid unnecessary LDAP operations?

[Date Prev][Date Next] [Thread Prev][Thread Next]

How to avoid unnecessary LDAP operations?


Is there a way to avoid some unnecessary LDAP operations generated by
nslcd in the following setting?

The system is configured only for pam_ldap (no LDAP name service):
that is, for non system users, /etc/passwd contains all the
information about uid, uidnumber, gecos etc. and there is no password
in /etc/shadow; it serves as the authorisation file (only accounts in
/etc/passwd may login to the system); pam_ldap is configured so as to
send the clear text password (in a SSL connection) to the LDAP server
to be verified by the LDAP server (BIND operation).
(See configuration files in annexes below).

Currently this configuration works but generates LDAP operations that
are not necessary for the strict purpose which is a) find the user dn
from the provided login name then b) check the password via a BIND
(see LDAP server log extract in attachment), namely:

1) (Ref: conn=1954208 op=1 msgId=2) The search for the dn asks for
   attributes uid and uidNumber. It is not necessary and no attribute
   should be requested (by specifying oid "1.1").

2) (Ref: conn=1954209 op=1 msgId=2) After the BIND that checks the
    password in a second connection a search is performed to obtain
    the same dn that was used for the BIND.  This search is useless
    because we know the dn exists since the BIND succeeded.

3) (Ref: conn=1954208 op=2 msgId=3) Once the password checked, a
   search for ShadowAccount attributes is performed in the first
   connection.  This is not necessary because there is already all the
   information in the /etc/shadow file (remember: no LDAP name
   service) and the password hash is not retrieved from LDAP to be
   checked locally.  Besides this info is dummy because password
   expiration etc. is not handled at the Unix level but in a central
   system of which the LDAP server is part.

4) (Refs: conn=1954209 op=2 msgId=3, conn=1954208 op=3 msgId=4) Both
   connections issue an ABANDON operation eventhough they got a result
   from the previous SEARCH request.  This would be necessary only in
   the case where the search would not return a result before a
   timeout on the client side. Since this is clearly not the case here
   (NOTFOUND indicates that there is nothing current to abandon), no
   ABANDON operation should have been issued.

5) (Ref: conn=1954209 op=3 msgId=4) The connection used to check the
   password is closed (UNBIND).  This is expensive (overhead to
   restart a TCP connection and, in this case, a SSL negociation
   involving lots of crypto) and not necessary: it can stay open until
   the next BIND for the next user login (i.e. that connection can
   also be part of the permanent connections of the pool albeit only
   usable for checking passwords with BIND operations). (cf. "Your
   application can hold onto a connection but change the
   authentication credentials by using the bind operation again." in

- Is there a way to modify the configurations of nslcd or PAM that
  would avoid these unnecessary operations?

- The last point (5) is more like a feature request: It would be nice
  if one could configure if password checks are done in a permanent
  connection or not.

Thanks in adavnce for your help!

Annexes: context and configurations

OS: Debian Linux jessie
nslcd: 0.8.13-3

/etc/nsswitch.conf :
passwd:         files
group:          files
shadow:         files

/etc/pam.d/common-auth :
auth    [success=1 default=ignore] quiet uid > 1001
auth    [success=2 default=die] nullok_secure
auth    [success=1 default=ignore]
auth    requisite             
auth    required              
auth    optional              

/etc/nslcd.conf :
uid nslcd
gid nslcd
uri ldaps://
base ou=People,dc=unige,dc=ch
binddn cn=Artemis authentication agent,ou=CHIFI,ou=Applications,dc=unige,dc=ch
bindpw secret
ssl on
tls_cacertfile  /etc/ssl/certs/unige_ldap_ca.pem
scope one

grep testuser /etc/passwd /etc/shadow

Mr Dominique Petitpierre, user=Dominique.Petitpierre
IT Division, University of Geneva, Switzerland
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=-1 msgId=-1 - fd=116 slot=116 
LDAPS connection from to
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=-1 msgId=-1 - SSL 128-bit RC4
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=0 msgId=1 - BIND 
dn="cn=authentication agent,ou=Unix,ou=Applications,dc=example,dc=com" 
method=128 version=3
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=0 msgId=1 - RESULT err=0 tag=97 
nentries=0 etime=0 dn="cn=authentication 
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=1 msgId=2 - SRCH 
base="ou=people,dc=example,dc=com" scope=2 
filter="(&(objectClass=posixAccount)(uid=testuser))" attrs="uid uidNumber"
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=1 msgId=2 - RESULT err=0 tag=101 
nentries=1 etime=0
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=-1 msgId=-1 - fd=118 slot=118 
LDAPS connection from to
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=-1 msgId=-1 - SSL 128-bit RC4
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=0 msgId=1 - BIND 
dn="employeeNumber=530149,ou=people,dc=example,dc=com" method=128 version=3
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=0 msgId=1 - RESULT err=0 tag=97 
nentries=0 etime=0 dn="employeenumber=530149,ou=people,dc=example,dc=com"
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=1 msgId=2 - SRCH 
base="employeenumber=530149,ou=people,dc=example,dc=com" scope=0 
filter="(objectClass=*)" attrs="dn"
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=1 msgId=2 - RESULT err=0 tag=101 
nentries=1 etime=0
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=2 msgId=3 - ABANDON 
targetop=NOTFOUND msgid=2
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=3 msgId=4 - UNBIND
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=3 msgId=-1 - closing from - U1 - Connection closed by unbind client -
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=2 msgId=3 - SRCH 
base="ou=people,dc=example,dc=com" scope=2 
filter="(&(objectClass=shadowAccount)(uid=testuser))" attrs="shadowExpire 
shadowInactive shadowFlag shadowWarning shadowLastChange uid shadowMin 
[22/Mar/2014:10:56:10 +0100] conn=1954209 op=-1 msgId=-1 - closed.
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=2 msgId=3 - RESULT err=0 tag=101 
nentries=1 etime=0
[22/Mar/2014:10:56:10 +0100] conn=1954208 op=3 msgId=4 - ABANDON 
targetop=NOTFOUND msgid=3

To unsubscribe send an email to or see