Public bug reported:
Description: Ubuntu 14.04.5 LTS
Release: 14.04
nslcd: 0.9.6-1
I'm seeing an issue with nslcd triggering an additional authentication
attempt for every "uri" specified in nslcd.conf when using pam_ldap in
the common-auth stack of /etc/pam.d. E.g. if you specify 6 LDAP servers
in nslcd.conf, a single failed auth attempt hits all 6 servers
separately. My /etc/pam.d/common-auth looks as follows
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so try_first_pass debug
account requisite pam_time.so
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
When an authentication attempt fails a password, the failed password attempt
then seems to cascade to each other LDAP server specified in the "uri" lines of
nslcd.conf. This becomes a problem if you have an account lockout threshold
that is lower than the number of uri's specified in nslcd.conf.
Shouldn't nslcd return the authentication failure from the first LDAP
server that responds rather than continuing to try each other uri? E.g.
if I specified 8 LDAP servers, it could theoretically make 8 failed
attempts from a user failing 1 password?
Debug output of nslcd is below. This logging is produced by a *single*
failed password attempt on sshd login. The myldap_search function hits
mydomainctrl1, mydomainctrl2, drdomainctrl1, and drdomainctrl2 after
this single failed attempt.
nslcd: [3c9869] <passwd="knewman"> DEBUG: myldap_search(base="ou=User
Accounts,dc=mydomain,dc=net",
filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): CN=Kevin
Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User
Accounts,DC=mydomain,DC=net
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): end of results (1
total)
nslcd: [3c9869] <passwd="knewman"> DEBUG: myldap_search(base="ou=Service
Accounts,dc=mydomain,dc=net",
filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): end of results (0
total)
nslcd: [3c9869] <passwd="knewman"> DEBUG:
myldap_search(base="ou=Groups,dc=mydomain,dc=net",
filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [3c9869] <passwd="knewman"> DEBUG: ldap_result(): end of results (0
total)
nslcd: [334873] DEBUG: connection from pid=10689 uid=0 gid=0
nslcd: [334873] <passwd="knewman"> DEBUG: myldap_search(base="ou=User
Accounts,dc=mydomain,dc=net",
filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [334873] <passwd="knewman"> DEBUG:
ldap_initialize(ldaps://mydomainctrl1.mydomain.net)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_rebind_proc()
nslcd: [334873] <passwd="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [334873] <passwd="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [334873] <passwd="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [334873] <passwd="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [334873] <passwd="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [334873] <passwd="knewman"> DEBUG:
ldap_simple_bind_s("[email protected]","***")
(uri="ldaps://mydomainctrl1.mydomain.net")
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): CN=Kevin
Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User
Accounts,DC=mydomain,DC=net
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): end of results (1
total)
nslcd: [334873] <passwd="knewman"> DEBUG: myldap_search(base="ou=Service
Accounts,dc=mydomain,dc=net",
filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): end of results (0
total)
nslcd: [334873] <passwd="knewman"> DEBUG:
myldap_search(base="ou=Groups,dc=mydomain,dc=net",
filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [334873] <passwd="knewman"> DEBUG: ldap_result(): end of results (0
total)
nslcd: [b0dc51] DEBUG: connection from pid=10689 uid=0 gid=0
nslcd: [b0dc51] <authc="knewman"> DEBUG: nslcd_pam_authc("knewman","sshd","***")
nslcd: [b0dc51] <authc="knewman"> DEBUG: myldap_search(base="ou=User
Accounts,dc=mydomain,dc=net",
filter="(&(objectClass=user)(sAMAccountName=knewman))")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_result(): CN=Kevin
Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User
Accounts,DC=mydomain,DC=net
nslcd: [b0dc51] <authc="knewman"> DEBUG: myldap_search(base="CN=Kevin
Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User
Accounts,DC=mydomain,DC=net", filter="(objectClass=*)")
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_initialize(ldaps://mydomainctrl1.mydomain.net)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_bind("CN=Kevin
Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User
Accounts,DC=mydomain,DC=net","***") (uri="ldaps://mydomainctrl1.mydomain.net")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid
credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext
error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server
ldaps://mydomainctrl1.mydomain.net: Invalid credentials: 80090308: LdapErr:
DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_initialize(ldaps://mydomainctrl2.mydomain.net)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_bind("CN=Kevin
Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User
Accounts,DC=mydomain,DC=net","***") (uri="ldaps://mydomainctrl2.mydomain.net")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid
credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext
error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server
ldaps://mydomainctrl2.mydomain.net: Invalid credentials: 80090308: LdapErr:
DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_initialize(ldaps://drdomainctrl1.mydomain.net)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_bind("CN=Kevin
Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User
Accounts,DC=mydomain,DC=net","***") (uri="ldaps://drdomainctrl1.mydomain.net")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid
credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext
error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server
ldaps://drdomainctrl1.mydomain.net: Invalid credentials: 80090308: LdapErr:
DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_initialize(ldaps://drdomainctrl2.mydomain.net)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="knewman"> DEBUG:
ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_sasl_bind("CN=Kevin
Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User
Accounts,DC=mydomain,DC=net","***") (uri="ldaps://drdomainctrl2.mydomain.net")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_parse_result() result: Invalid
credentials: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext
error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: failed to bind to LDAP server
ldaps://drdomainctrl2.mydomain.net: Invalid credentials: 80090308: LdapErr:
DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_unbind()
nslcd: [b0dc51] <authc="knewman"> CN=Kevin
Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User
Accounts,DC=mydomain,DC=net: Invalid credentials
nslcd: [b0dc51] <authc="knewman"> DEBUG: myldap_search(base="ou=User
Accounts,dc=mydomain,dc=net",
filter="(&(&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*))(uid=knewman))")
nslcd: [b0dc51] <authc="knewman"> DEBUG: ldap_result(): CN=Kevin
Newman,OU=Infrastructure,OU=Technology,OU=Shared Services,OU=User
Accounts,DC=mydomain,DC=net
** Affects: nss-pam-ldapd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1618190
Title:
nslcd Repeats Failed Auth Attempt for Every "uri" Specified in
nslcd.conf, Causes Account Lockouts
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/1618190/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
