Bug#705568: libpam-ldapd: LDAP Authentication failure with cached credentials

Jonatan Åkerlind Tue, 16 Apr 2013 14:21:19 -0700

Package: libpam-ldapd
Version: 0.8.12-1
Severity: normal
Tags: patch

Dear Maintainer,


the current pam configuration in wheezy up to experimental for libpam-ldapd 
does not allow a login using cached credentials (libpam-ccreds). The problem 
area seems to be the "account" pam type where the current configuration puts 
the ldap module as an Additional.

I see this behaviour using the currently available config when doing a login 
without LDAP reachable:

You have been logged on using cached credentials.

Authentication failure


By reordering the ldap as a Primary for account and also allowing it to pass if 
authinfo_unavail (i.e. no LDAP servers reachable) it works as expected for me. 
This solution is briefly touched in this Ubuntu forum thread: 
http://ubuntuforums.org/showthread.php?t=1585654 .

My setup is simple with only passwd, group and credentials in LDAP doing auth 
with libpam-ldapd and caching with libpam-ccreds.


-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (900, 'testing'), (700, 'experimental'), (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-ldapd depends on:
ii  libc6              2.13-38
ii  libpam-runtime     1.1.3-7.1
ii  libpam0g           1.1.3-7.1
ii  multiarch-support  2.13-38
ii  nslcd              0.8.10-4

libpam-ldapd recommends no packages.

libpam-ldapd suggests no packages.

-- no debconf information

--- 1/ldap	2013-04-16 22:16:20.089080110 +0200
+++ 2/ldap	2013-04-16 22:57:52.814167409 +0200
@@ -6,9 +6,9 @@
 	[success=end default=ignore]	pam_ldap.so minimum_uid=1000
 Auth:
 	[success=end default=ignore]	pam_ldap.so minimum_uid=1000 use_first_pass
-Account-Type: Additional
+Account-Type: Primary
 Account:
-	[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]	pam_ldap.so minimum_uid=1000
+	[success=end new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=end default=bad]	pam_ldap.so minimum_uid=1000
 Password-Type: Primary
 Password-Initial:
 	[success=end default=ignore]	pam_ldap.so minimum_uid=1000

Bug#705568: libpam-ldapd: LDAP Authentication failure with cached credentials

Reply via email to