[Bug 951343] [NEW] authentication fails silently with long pam_authz_search filter

Matt Rae Fri, 09 Mar 2012 22:30:47 -0800

Public bug reported:

Linux clients that use ldap authentication with nslcd and a long
pam_authz_search filter will see authentication fail silently


reproduction steps:

modify entry for 127.0.1.1 in /etc/hosts so the example.com dc is used by slapd
EX:
x.x.x.x       server1
change to:
x.x.x.x       server1.example.com     server1

apt-get install nslcd # set search base "dc=example,dc=com". then select all 
for services use ldap lookups when configuring libnss-ldapd.
apt-get install slapd
dpkg-reconfigure slapd # dns name "example.com"
apt-get install migrationtools

turn on ldap authentication using pam-auth-update

stop nslcd and slapd. We'll start them in debug mode

/etc/init.d/nslcd stop
/etc/init.d/slapd stop

migrate users to ldap. edit /etc/migrationtools/migrate_common.ph and change:
$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";

then run commands to create ldif exports of group and passwd
/usr/share/migrationtools/migrate_group.pl /etc/group ~/group.ldif
/usr/share/migrationtools/migrate_passwd.pl /etc/passwd ~/passwd.ldif

edit ~/people_group.ldif adding contents:
dn: ou=People, dc=example, dc=com
ou: People
objectclass: organizationalUnit

dn: ou=Group, dc=example, dc=com
ou: Group
objectclass: organizationalUnit

import data into ldap:
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/people_group.ldif
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/group.ldif
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/passwd.ldif

edit /etc/nslcd.conf adding pam_authz_search filter
pam_authz_search 
(&(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount))

open 2 new terminals and become root

in one terminal run nslcd in debug mode:
nslcd -d

in second terminal run slapd in debug mode:
slapd -d -1

in your original terminal attempt to sudo to a user other than root and
watch the debug output in the slapd and nslcd terminals:

sudo su ubuntu

look for output in nslcd terminal "DEBUG: trying pam_authz_search" in
nslcd terminal indicating filter is being used

increase pam_authz_search filter beyond 1024 characters and note that
you no longer see "Trying pam_authz_search" in the nslcd output and that
authentication fails silently

** Affects: nss-pam-ldapd (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  Linux clients that use ldap authentication with nslcd and a long
  pam_authz_search filter will see authentication fail silently
  
  reproduction steps:
  
  modify entry for 127.0.1.1 in /etc/hosts so the example.com dc is used by 
slapd
  EX:
  x.x.x.x       server1
  change to:
  x.x.x.x       server1.example.com     server1
  
  apt-get install nslcd # set search base "dc=example,dc=com". then select all 
for services use ldap lookups when configuring libnss-ldapd.
  apt-get install slapd
  dpkg-reconfigure slapd # dns name "example.com"
  apt-get install migrationtools
  
  turn on ldap authentication using pam-auth-update
  
  stop nslcd and slapd. We'll start them in debug mode
  
  /etc/init.d/nslcd stop
  /etc/init.d/slapd stop
  
  migrate users to ldap. edit /etc/migrationtools/migrate_common.ph and change:
  $DEFAULT_MAIL_DOMAIN = "example.com";
  $DEFAULT_BASE = "dc=example,dc=com";
  
  then run commands to create ldif exports of group and passwd
  /usr/share/migrationtools/migrate_group.pl /etc/group ~/group.ldif
  /usr/share/migrationtools/migrate_passwd.pl /etc/passwd ~/passwd.ldif
  
  edit ~/people_group.ldif adding contents:
  dn: ou=People, dc=example, dc=com
  ou: People
  objectclass: organizationalUnit
  
  dn: ou=Group, dc=example, dc=com
  ou: Group
  objectclass: organizationalUnit
  
  import data into ldap:
  ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/people_group.ldif
- ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/group.ldif 
- ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/passwd.ldif 
+ ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/group.ldif
+ ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/passwd.ldif
  
  edit /etc/nslcd.conf adding pam_authz_search filter
  pam_authz_search 
(&(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount))
  
  open 2 new terminals and become root
  
  in one terminal run nslcd in debug mode:
  nslcd -d
  
  in second terminal run slapd in debug mode:
  slapd -d -1
  
  in your original terminal attempt to sudo to a user other than root and
  watch the debug output in the slapd and nslcd terminals:
  
  sudo su ubuntu
  
  look for output in nslcd terminal "DEBUG: trying pam_authz_search" in
  nslcd terminal indicating filter is being used
  
- increase search string beyond 1024 buffer and note that we're no longer
- seeing "Trying pam_authz_search" in the nslcd output and that
+ increase pam_authz_search filter beyond 1024 characters and note that
+ you no longer see "Trying pam_authz_search" in the nslcd output and that
  authentication fails silently

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/951343

Title:
  authentication fails silently with long pam_authz_search filter

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/951343/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 951343] [NEW] authentication fails silently with long pam_authz_search filter

Reply via email to