Re: ** Newsletter/Marketing email** Re: PAM triggers requests to LDAP server even when NSCD is configured

[Todd Grayson <tgrayson [at] cloudera.com>]

I apologize if this is off track but the cache is not going to perform the search/bind.   The user/group is in the cache, the authentication event will still search/bind against the LDAP service?  Theres no way to get away from that. Otherwise you would have scenarios where users who have been disabled still being able to authenticate randomly to systems in the environment for some period until their cached data drops. 

established sessions persist until exited.  This behavior is detailed here, the discussion is about loss of network connectivity, but the concept is the same...

https://www.techrepublic.com/blog/linux-and-open-source/authentication-caching-with-nscd/

Last paragraph

Once nscd has started and has a few cached entries under its belt — if you are already logged in and then disconnect from the network — you will still be able to continue using the system just as if you were on the network...

...nscd does not cache authentication information such as passwords. As such, new login attempts would fail because nscd does not cache the equivalent of shadow passwords, which would allow new logins to succeed. However, established login sessions will continue to function as normal.

On Thu, Jan 11, 2018 at 2:46 AM, saikiran.reddy [at] wipro.com <saikiran.reddy [at] wipro.com> wrote:

Hi,

  Am facing an issue when using nscd (for caching) with nslcd. Details below. Am following the setup steps as per the guidelines at https://arthurdejong.org/nss-pam-ldapd/setup.

  

  Appreciate if you could point me in the right direction..

 

 Problem:

------------

  With nscd configured, the expectation was that the nslcd would not send further requests to the ldap  server until the “positive-time-to-live” (configured in nscd.conf) expires. Have analyzed the wireshark captures and noticed that it is not the case.

 

  Details:

--------------

  WITHOUT NSCD:

1.       User attempts to login by providing the username.

2.       SSHD checks for the presence of the user in local files, does not find it (since the users are ldap) and queries the LDAP server

3.       LDAP server returns a success.

4.       SSH starts the PAM (UsePAM = yes, in sshd.conf) and prompts the user to enter the password.

5.       User enters the passwd

6.       PAM triggers the ldap search request (similar content as done in step 2 !!) to the ldap server

7.       Same as step 3.

8.       SSH login available to user.

9.       The above steps occur for all subsequent logins of the user.

  WITH NSCD:

1.       Steps 1-8 same as above in the FIRST iteration.

2.       Second and subsequent iteration until “positive-time-to-live”, ONLY step 2 DOES not happen, but steps 6 & 7 are happening. As per my understanding that should not be the case. Could you please confirm?

 

CONFIG/Ver:

------------------

Following are the details of the versions and the config files of nsswitch, nscd and pam.d/ for your reference.

Using Nslcd – 0.9.5

 

root@ep:~# cat /etc/nsswitch.conf

# /etc/nsswitch.conf

passwd:         files ldap

group:          files ldap

shadow:         files ldap

 

root@ep:~# cat /etc/nscd.conf

        enable-cache            passwd          yes

        positive-time-to-live   passwd          6000

        negative-time-to-live   passwd          20

        suggested-size          passwd          211

        check-files             passwd          yes

        persistent              passwd          yes

        shared                  passwd          yes

        max-db-size             passwd          33554432

        auto-propagate          passwd          yes

 

.. same for group, services, netgroup

 

pam.d/common-account

account   required    pam_unix.so                                        

account   sufficient  pam_ldap.so minimum_uid=1000                         

account   required    pam_permit.so

 

pam.d/common-auth

auth      sufficient  pam_ldap.so minimum_uid=1000

auth      sufficient  pam_unix.so nullok try_first_pass

auth      required    pam_deny.so

 

pam.d/common-password

password  sufficient  pam_unix.so nullok md5 shadow use_authtok

password  sufficient  pam_ldap.so minimum_uid=1000 try_first_pass        

password  required    pam_deny.so    

 

pam.d/common-session

session   required    pam_unix.so

session   optional    pam_ldap.so minimum_uid=1000

session   required    pam_mkhomedir.so skel=/etc/skel umask=0022

 

Thanks,

Sai

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

On Fri, Jan 12, 2018 at 4:47 AM, saikiran.reddy [at] wipro.com <saikiran.reddy [at] wipro.com> wrote:

Hi Markham,

  Thanks for the mail.

  Unfortunately, it did not help. I still see the requests going out, triggered by the PAM module.

 

Rgds,

Sai

 

From: nss-pam-ldapd-users [mailto:nss-pam-ldapd-users-bounces+saikiran.reddy=wipro.com@lists.arthurdejong.org] On Behalf Of markham breitbach
Sent: Thursday, January 11, 2018 9:53 PM
To: nss-pam-ldapd-users@lists.arthurdejong.org
Subject: ** Newsletter/Marketing email** Re: PAM triggers requests to LDAP server even when NSCD is configured

 

** This mail has been sent from an external source. Treat hyperlinks and attachments in this email with caution**

Hi Sai,

Last time I used this I found the nscd would occassionally just hang (this was on a busy mail server), so I haven't gone back to looking at it for a couple of years, but IIRC nsswitch.conf needs to mention the cache first.

https://www.freebsd.org/cgi/man.cgi?query=nsswitch.conf&sektion=5

 # /etc/nsswitch.conf

 passwd:         cache files ldap
 group:          cache files ldap
 shadow:         cache files ldap

-Markham

On 2018-01-11 3:46 AM, saikiran.reddy [at] wipro.com wrote:

Hi,

  Am facing an issue when using nscd (for caching) with nslcd. Details below. Am following the setup steps as per the guidelines at https://arthurdejong.org/nss-pam-ldapd/setup.

  

  Appreciate if you could point me in the right direction..

 

 Problem:

------------

  With nscd configured, the expectation was that the nslcd would not send further requests to the ldap  server until the “positive-time-to-live” (configured in nscd.conf) expires. Have analyzed the wireshark captures and noticed that it is not the case.

 

  Details:

--------------

  WITHOUT NSCD:

1.       User attempts to login by providing the username.

2.       SSHD checks for the presence of the user in local files, does not find it (since the users are ldap) and queries the LDAP server

3.       LDAP server returns a success.

4.       SSH starts the PAM (UsePAM = yes, in sshd.conf) and prompts the user to enter the password.

5.       User enters the passwd

6.       PAM triggers the ldap search request (similar content as done in step 2 !!) to the ldap server

7.       Same as step 3.

8.       SSH login available to user.

9.       The above steps occur for all subsequent logins of the user.

  WITH NSCD:

1.       Steps 1-8 same as above in the FIRST iteration.

2.       Second and subsequent iteration until “positive-time-to-live”, ONLY step 2 DOES not happen, but steps 6 & 7 are happening. As per my understanding that should not be the case. Could you please confirm?

 

CONFIG/Ver:

------------------

Following are the details of the versions and the config files of nsswitch, nscd and pam.d/ for your reference.

Using Nslcd – 0.9.5

 

root@ep:~# cat /etc/nsswitch.conf

# /etc/nsswitch.conf

passwd:         files ldap

group:          files ldap

shadow:         files ldap

 

root@ep:~# cat /etc/nscd.conf

        enable-cache            passwd          yes

        positive-time-to-live   passwd          6000

        negative-time-to-live   passwd          20

        suggested-size          passwd          211

        check-files             passwd          yes

        persistent              passwd          yes

        shared                  passwd          yes

        max-db-size             passwd          33554432

        auto-propagate          passwd          yes

 

.. same for group, services, netgroup

 

pam.d/common-account

account   required    pam_unix.so                                        

account   sufficient  pam_ldap.so minimum_uid=1000                         

account   required    pam_permit.so

 

pam.d/common-auth

auth      sufficient  pam_ldap.so minimum_uid=1000

auth      sufficient  pam_unix.so nullok try_first_pass

auth      required    pam_deny.so

 

pam.d/common-password

password  sufficient  pam_unix.so nullok md5 shadow use_authtok

password  sufficient  pam_ldap.so minimum_uid=1000 try_first_pass        

password  required    pam_deny.so    

 

pam.d/common-session

session   required    pam_unix.so

session   optional    pam_ldap.so minimum_uid=1000

session   required    pam_mkhomedir.so skel=/etc/skel umask=0022

 

Thanks,

Sai

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

--

Todd Grayson

Business Operations Manager

Customer Operations Engineering

Security SME

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/