PAM triggers requests to LDAP server even when NSCD is configured
[Date Prev][Date Next] [Thread Prev][Thread Next]PAM triggers requests to LDAP server even when NSCD is configured
- From: "saikiran.reddy [at] wipro.com" <saikiran.reddy [at] wipro.com>
- To: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: PAM triggers requests to LDAP server even when NSCD is configured
- Date: Thu, 11 Jan 2018 10:46:39 +0000
|
Hi, Am facing an issue when using nscd (for caching) with nslcd. Details below. Am following the setup steps as per the guidelines at
https://arthurdejong.org/nss-pam-ldapd/setup.
Appreciate if you could point me in the right direction.. Problem: ------------ With nscd configured, the expectation was that the nslcd would not send further requests to the ldap server until the “positive-time-to-live” (configured in nscd.conf) expires.
Have analyzed the wireshark captures and noticed that it is not the case. Details: -------------- WITHOUT NSCD: 1.
User attempts to login by providing the username. 2.
SSHD checks for the presence of the user in local files, does not find it (since the users are ldap) and queries the LDAP server 3.
LDAP server returns a success. 4.
SSH starts the PAM (UsePAM = yes, in sshd.conf) and prompts the user to enter the password. 5.
User enters the passwd 6.
PAM triggers the ldap search request (similar content as done in step 2 !!) to the ldap server 7.
Same as step 3. 8.
SSH login available to user. 9.
The above steps occur for all subsequent logins of the user. WITH NSCD: 1.
Steps 1-8 same as above in the FIRST iteration. 2.
Second and subsequent iteration until “positive-time-to-live”, ONLY step 2 DOES not happen, but steps 6 & 7 are happening. As per my understanding that should not be the
case. Could you please confirm? CONFIG/Ver: ------------------ Following are the details of the versions and the config files of nsswitch, nscd and pam.d/ for your reference.
Using Nslcd – 0.9.5 root@ep:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap root@ep:~# cat /etc/nscd.conf enable-cache passwd yes positive-time-to-live passwd 6000 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes .. same for group, services, netgroup pam.d/common-account account required pam_unix.so
account sufficient pam_ldap.so minimum_uid=1000
account required pam_permit.so
pam.d/common-auth auth sufficient pam_ldap.so minimum_uid=1000 auth sufficient pam_unix.so nullok try_first_pass auth required pam_deny.so pam.d/common-password password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so minimum_uid=1000 try_first_pass
password required pam_deny.so
pam.d/common-session session required pam_unix.so session optional pam_ldap.so minimum_uid=1000 session required pam_mkhomedir.so skel=/etc/skel umask=0022 Thanks, Sai ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ |
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see https://lists.arthurdejong.org/nss-pam-ldapd-users/
- PAM triggers requests to LDAP server even when NSCD is configured, saikiran.reddy@wipro.com
- Re: PAM triggers requests to LDAP server even when NSCD is configured, markham breitbach