lists.arthurdejong.org
RSS feed

Re: Query about authinfo_unavail and user_unknown behaviour

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Query about authinfo_unavail and user_unknown behaviour

On Sun, 28 Sep, 2014 at 6:10 , Arthur de Jong <arthur@arthurdejong.org> wrote: 
On Wed, 2014-08-27 at 19:19 +0200, Berend De Schouwer wrote:

 I'm running nss-pam-ldapd against an OpenLDAP server, and I've
 encountered some unexpected behaviour. I'd like to know if this is
 as designed, or not.

 Expected behaviour:

  - nslcd down => authinfo_unavailable
  - nslcd up, ldap down => authinfo_unavailable
  - nslcd up, ldap up, record not found => user_unknown
  - nslcd up, ldap up, record found => test password

 Actual behaviour:

  - nslcd down => authinfo_unavailable
  - nslcd up, ldap down => user_unknown
  - nslcd up, ldap up, record not found => user_unknown
  - nslcd up, ldap up, record found => test password


The expected behaviour is indeed cleaner and should be the case ever
since 0.8.3. I just did some testing with 0.9.4 and pam_ldap should
return PAM_AUTHINFO_UNAVAIL if nslcd is up but the LDAP server is
unavailable (at least for auth).


I can confirm good behaviour with this patch, bad behaviour with 0.7.16.
My "unit tests" to test this condition were getting confused because: "not retrying server ldap://127.0.0.1:9009/ which failed just 1 second(s) ago and has been failing for 12 seconds"
It's been a bit problematic writing repeatable tests for nslcd up/down, ldap up/down, password in cache up/down, password good/bad... Fun with timing :) 



--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/