Re: Fwd: Help required regarding nss-pam-ldap

[Thejaswi Manjunatha <thejaswimanju [at] gmail.com>]

Hi Arthur,

Below are my observations :

1) As expected the nslcd -d output shows "pam_authc_search BASE" as default behavior (When there is no entry of pam_authc_search in nslcd.conf).

2) When "pam_authc_search NONE" is set in the nslcd.conf the nslcd -d output shows the pam_authc_search set to NONE.

Irrespective of the "pam_authc_search" filter value the LDAP login behavior works same, which means when "pam_authc_search BASE" ideally the users without self read access should have failed and it should only work when "pam_authc_search NONE". But in the test environment the LDAP users without self read access logged in irrespective of "pam_authc_search BASE / NONE". Below are nslcd -d output :

1) pam_authc_search is not set in nslcd.conf

[root@cr8sec2 ~] # nslcd -d
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.8
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,never)
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: # uid not set
nslcd: DEBUG: CFG: # gid not set
nslcd: DEBUG: CFG: uri ldap://<LdapIPAddress>
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn <myBindDn>
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: rootpwmoddn crypt
nslcd: DEBUG: CFG: base <myBaseDn>
nslcd: DEBUG: CFG: scope one
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectclass=user)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd uid sAMAccountName
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: pam_authc_ppolicy yes
nslcd: DEBUG: CFG: bind_timelimit 30
nslcd: DEBUG: CFG: timelimit 30
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert never
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_uid_offset 0
nslcd: DEBUG: CFG: nss_gid_offset 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase yes
nslcd: DEBUG: CFG: pam_authc_search BASE
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: nslcd may already be active, cannot acquire lock (/var/run/nslcd/nslcd.pid): Permission denied
[root@cr8sec2 ~] #



2) pam_authc_search is explicitly set to BASE in nslcd.conf

[root@cr8sec2 ~] # nslcd -d
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.8
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,never)
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: # uid not set
nslcd: DEBUG: CFG: # gid not set
nslcd: DEBUG: CFG: uri ldap://<LdapIPAddress>
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn <myBindDn>
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: rootpwmoddn crypt
nslcd: DEBUG: CFG: base <myBaseDn>
nslcd: DEBUG: CFG: scope one
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectclass=user)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd uid sAMAccountName
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: pam_authc_ppolicy yes
nslcd: DEBUG: CFG: bind_timelimit 30
nslcd: DEBUG: CFG: timelimit 30
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert never
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_uid_offset 0
nslcd: DEBUG: CFG: nss_gid_offset 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase yes
nslcd: DEBUG: CFG: pam_authc_search BASE
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: nslcd may already be active, cannot acquire lock (/var/run/nslcd/nslcd.pid): Permission denied




3) pam_authc_search is explicitly set to NONE in nslcd.conf

[root@cr8sec2 ~] # nslcd -d
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.8
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,never)
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: # uid not set
nslcd: DEBUG: CFG: # gid not set
nslcd: DEBUG: CFG: uri ldap://<ldapIPAddress>
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn <myBindDn>
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: rootpwmoddn crypt
nslcd: DEBUG: CFG: base <myBaseDn>
nslcd: DEBUG: CFG: scope one
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectclass=user)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd uid sAMAccountName
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: pam_authc_ppolicy yes
nslcd: DEBUG: CFG: bind_timelimit 30
nslcd: DEBUG: CFG: timelimit 30
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert never
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_uid_offset 0
nslcd: DEBUG: CFG: nss_gid_offset 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase yes
nslcd: DEBUG: CFG: pam_authc_search NONE
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: nslcd may already be active, cannot acquire lock (/var/run/nslcd/nslcd.pid): Permission denied
[root@cr8sec2 ~] #

On Sun, Aug 13, 2017 at 3:51 PM, Arthur de Jong <arthur [at] arthurdejong.org> wrote:

On Fri, 2017-08-11 at 16:31 +0530, Thejaswi Manjunatha wrote:
> I was testing your fix, when doing here are couple of observations :

Hi Thejaswi,

I see I sent my reply only to the list, it is available here:

https://lists.arthurdejong.org/nss-pam-ldapd-users/2017/msg00095.html

If you can provide the output of nslcd -d of both versions it would be
very helpful.

Kind regards,

--
-- arthur - arthur [at] arthurdejong.org - https://arthurdejong.org/ --

--

Regards

Manjunatha Thejaswi

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/