Hi Arthur! On Sat, 29 Jan 2011 22:06:07 +0100, Arthur de Jong wrote: > On Mon, 2011-01-24 at 01:49 +0100, Luca Capello wrote: >> 1) 'host=*' is not honoured >> >> I am not an LDAP expert and I could not find any documentation >> (authoritative or not) about the accepted values for this LDAP >> attribute, so I do not know who is at fault here. > > I don't think the option is standardized anywhere. RFC 1274 (which > defines the attribute) does not describe it's use and the "Using LDAP as > a Network Information Service" Internet Draft does not describe PAM.
In that case, my fault ;-) >> As you can see, nslcd removes the escape and the correct results is >> obtained with a double escape in nslcd.conf: >> >> >> (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=\\*))) > > The example filter in the manual page only filtered if the host > attribute was set (it would allow any access if the attribute was not > set). I've updated the manual page. Wow, that was fast, thank you! >> I could not find any documentation about escaping in the >> pam_authz_search filter... > > I've added a note to the manual page about escaping. Perfect, do you mind adding <literal>*</literal> to the list of must-be-quoted characters? >> 2) the variable $hostname contains the value of `hostname` and not the >> FQDN like with PADL's pam_ldap, thus a tricky filter must be used: >> >> (&(objectClass=posixAccount)(uid=$username)\ >> (|(host=$hostname)(host=$hostname.$DOMAIN)(!(host=*)))) > > I've implemented a $fqdn variable that can be used (will be in the next > release). Thank you *very* much. FWIW, last week-end (before your reply) I did other tests and found out that PADL's pam_ldap worked with both `hostname` and `hostname -f` outputs. I think this is a bug in PADL's pam_ldap, given that there is no way to restrict that (like it is now possible with nss-pam-ldapd's $fqdn variable, thanks again). >> BTW, I was expecting any PAM-related output to be in /var/log/auth.log, >> until I realized that nslcd logs to /var/log/syslog. > > nslcd logs to /var/log/syslog but if the PAM module logs anything it > should be in /var/log/auth.log. This may be a bit confusing when looking > for PAM-related problems but I think it is less confusing than logging > part of nslcd to /var/log/auth.log. It is perfectly fine, I did not find any hint in the nslcd's manpages, that is all. BTW, is it normal that the PAM module does not log anything at all? ===== luca@gismo:~$ su luca.capello Password: luca.capello@gismo:/home/luca$ exit luca@gismo:~$ su Password: gismo:/home/luca# less /var/log/auth.log [...] Feb 1 11:51:20 gismo su[16372]: pam_unix(su:auth): authentication failure; \ logname=luca uid=1000 euid=0 tty=/dev/pts/8 ruser=luca rhost= user=luca.capello Feb 1 11:51:21 gismo su[16372]: Successful su for luca.capello by luca Feb 1 11:51:21 gismo su[16372]: + /dev/pts/8 luca:luca.capello Feb 1 11:51:21 gismo su[16372]: pam_unix(su:session): session opened for \ user luca.capello by luca(uid=1000) Feb 1 11:51:24 gismo su[16372]: pam_unix(su:session): session closed for \ user luca.capello gismo:/home/luca# less /var/log/syslog [nothing nslcd-related] gismo:/home/luca# ===== > Anyway, thanks for pointing this out. The changes will be in the next > development release (0.8.1). I am eager to update my sid, then :-) Thx, bye, Gismo / Luca
pgpvRWgI8uWzV.pgp
Description: PGP signature
