lists.arthurdejong.org
RSS feed

Query about authinfo_unavail and user_unknown behaviour

[Date Prev][Date Next] [Thread Prev][Thread Next]

Query about authinfo_unavail and user_unknown behaviour

I'm running nss-pam-ldapd against an OpenLDAP server, and I've
encountered some unexpected behaviour. I'd like to know if this is
as designed, or not.

Expected behaviour:

- nslcd down => authinfo_unavailable
- nslcd up, ldap down => authinfo_unavailable
- nslcd up, ldap up, record not found => user_unknown
- nslcd up, ldap up, record found => test password

Actual behaviour:

- nslcd down => authinfo_unavailable
- nslcd up, ldap down => user_unknown
- nslcd up, ldap up, record not found => user_unknown
- nslcd up, ldap up, record found => test password

This causes a problem for configuring pam_ldap.so when:

- a backup is used (eg. pam_ccreds) for network down, and
- users that used to exist are deleted.


I'll try and explain my findings. However, the mail is long. It has
been a bit hard to test and re-test with various conditions.


For PAM, I've tried two configurations:

Configuration 1:

 auth [authinfo_unavail=ignore success=1 default=die]
      pam_ldap.so use_first_pass
 auth [default=done] pam_ccreds.so action=validate use_first_pass

Configuration 2:
auth [authinfo_unavail=ignore user_unknown=ignore success=1 default=die] 
      pam_ldap.so use_first_pass
 auth [default=done] pam_ccreds.so action=validate use_first_pass

The difference is user_unknown=ignore.

The idea is to fall back to pam_ccreds if, and only if, the LDAP server
is down. If the network is broken users should be able to login.
I would prefer Configuration 1.


Behaviour with Configuration 1:

If nslcd is down, configuration 1 behaves as expected. Authentication
is unavailable, so pam_ldap.so is ignored, and pam_ccreds is used.

If nslcd is up, but the LDAP server is down, configuration 1 behaves as
if the user doesn't exist. This means that if the LDAP server is down,
pam_ccreds is not used. This is a problem.

This seems to be because of common/nslcd-prot.h, lines 376 to 379:

 if (tmpint32 != (int32_t)NSLCD_RESULT_BEGIN) \
 { \
   ERROR_OUT_NOSUCCESS(fp); \
 }

which triggers PAM_USER_UNKNOWN in pam/common.h, line 69.


Behaviour with Configuration 2:

Configuration 2 also has it's pitfalls. And that's with deleted users.

Now a user that used to exist, and is in pam_ccreds, that gets deleted,
will be allowed to login even when the LDAP server is up.

nslcd returns "user not found" (correctly). pam_ldap.so ignores that
error message and passes the user on the pam_ccreds.


Tested with old versions 0.7.16 and 0.8.12 and new version 0.9.4.


What I'm thinking of doing:

Test for NSLCD_RESULT_END without first NSLCD_RESULT_BEGIN, and if
this is found, return ERROR_OUT_NOSUCCESS.

If no NSLCD_RESULT_BEGIN and no NSLCD_RESULT_END, return
ERROR_OUT_READERROR.

Can I just change common/nslcd-prot.h:

#define READ_RESPONSE_CODE(fp) \
 READ(fp, &tmpint32, sizeof(int32_t)); \
 tmpint32 = ntohl(tmpint32); \
 if (tmpint32 != (int32_t)NSLCD_RESULT_END) \
 { \
   ERROR_OUT_NOSUCCESS(fp); \
 }
 if (tmpint32 != (int32_t)NSLCD_RESULT_BEGIN) \
 { \
   ERROR_OUT_READERROR(fp); \
 }

or will this break for multiple matches?


Berend



--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/