ldap.conf: 'pam_groupdn' being completely ignored?

Wed Jan 7 15:40:46 UTC 2004

Back with more info regarding this problem.
For those just joining the thread, I'm having trouble finding evidence
that 'pam_groupdn' in /etc/ldap.conf is even being seen, much less
enforced on my Fedora box. I've seen nothing in the logs that shows a
search for the group at all. I've double checked that the group exists,
etc., etc. I've been learning and testing openldap for about a year now,
and this one has me stumped, partially because I'm not sure how to
figure out how to tell definitively if the variable is being rejected,
or not seen...

Here's my /etc/ldap.conf:
=====================================

host ldap.my.domain,ldap2.my.domain
base dc=my,dc=domain
pam_filter objectclass=posixAccount
pam_groupdn cn=techstaff,ou=Group,dc=my,dc=domain
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=my,dc=domain?one
nss_base_shadow ou=People,dc=my,dc=domain?one
nss_base_group          ou=Group,dc=my,dc=domain?one
nss_base_netgroup       ou=Netgroup,dc=my,dc=domain?one
ssl start_tls
pam_password md5
=======================================

And here's my /etc/pam.d/system-auth (used by sshd, which is my primary
testing application)
=======================================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient  /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     sufficient    /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
====================================

rpm -qa | grep nss_ldap returns 'nss_ldap-207-3'
glibc is glibc-2.3.2-101

My /etc/nsswitch.conf file has been played with a bit to test 'compat'
functionality, which is also not functioning how I'd like - but that's
very secondary. For normal testing (like, now), it looks pretty
standard:

passwd: files ldap
shadow: files ldap
group:    files ldap

Finally, here are the ldap logs chronicling a successful login attempt
by someone in the appropriate group (they're no different from someone
logging in who is *not* in the appropriate group, btw).

===========================================================

Jan  7 10:36:29 ldap slapd[14646]: conn=201 fd=11 ACCEPT from
IP=192.168.4.52:59061 (IP=0.0.0.0:389)
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=1 BIND dn="" method=128
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=2 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=3 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=3 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=4 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=4 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=5 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=5 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=5 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=6 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=6 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=6 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=7 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=7 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:29 ldap slapd[14646]: conn=201 op=7 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:29 ldap slapd[14646]: conn=202 fd=18 ACCEPT from
IP=192.168.33.55:33841 (IP=0.0.0.0:389)
Jan  7 10:36:29 ldap slapd[14646]: conn=202 op=1 BIND dn="" method=128
Jan  7 10:36:29 ldap slapd[14646]: conn=202 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:29 ldap slapd[14646]: conn=202 op=2 SRCH
base="ou=Netgroup,dc=my,dc=domain" scope=1
filter="(&(objectClass=nisNetgroup)(cn=trusted_root))"
Jan  7 10:36:29 ldap slapd[14646]: conn=202 op=2 SRCH attr=cn
nisNetgroupTriple memberNisNetgroup
Jan  7 10:36:29 ldap slapd[14646]: conn=202 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:29 ldap slapd[14646]: conn=202 op=3 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uid=jonesy))"
Jan  7 10:36:29 ldap slapd[14646]: conn=202 op=3 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:29 ldap slapd[14646]: conn=202 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:29 ldap slapd[14646]: conn=202 fd=18 closed
Jan  7 10:36:29 ldap slapd[14646]: conn=203 fd=18 ACCEPT from
IP=192.168.33.55:33843 (IP=0.0.0.0:389)
Jan  7 10:36:29 ldap slapd[14646]: conn=203 op=1 BIND dn="" method=128
Jan  7 10:36:29 ldap slapd[14646]: conn=203 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:29 ldap slapd[14646]: conn=203 op=2 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uid=jonesy))"
Jan  7 10:36:29 ldap slapd[14646]: conn=203 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:29 ldap slapd[14646]: conn=203 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:29 ldap slapd[14646]: conn=203 op=3 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=shadowAccount)(uid=jonesy))"
Jan  7 10:36:29 ldap slapd[14646]: conn=203 op=3 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire
Jan  7 10:36:29 ldap slapd[14646]: conn=203 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=

===============================================

This is where I enter the password and press 'enter', and then the
following occurrs. 

===============================================

Jan  7 10:36:44 ldap slapd[14646]: conn=203 op=4 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uid=jonesy))"
Jan  7 10:36:44 ldap slapd[14646]: conn=203 op=4 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:44 ldap slapd[14646]: conn=203 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=203 op=5 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=shadowAccount)(uid=jonesy))"
Jan  7 10:36:44 ldap slapd[14646]: conn=203 op=5 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire
Jan  7 10:36:44 ldap slapd[14646]: conn=203 op=5 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=204 fd=19 ACCEPT from
IP=192.168.33.55:33844 (IP=0.0.0.0:389)
Jan  7 10:36:44 ldap slapd[14646]: conn=204 op=1 BIND dn="" method=128
Jan  7 10:36:44 ldap slapd[14646]: conn=204 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:44 ldap slapd[14646]: conn=204 op=2 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uid=jonesy))"
Jan  7 10:36:44 ldap slapd[14646]: conn=204 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=204 op=3 BIND
dn="cn=jonesy,ou=People,dc=my,dc=domain" method=128
Jan  7 10:36:44 ldap slapd[14646]: conn=204 op=3 BIND
dn="cn=jonesy,ou=People,dc=my,dc=domain" mech=simple ssf=0
Jan  7 10:36:44 ldap slapd[14646]: conn=204 op=3 RESULT tag=97 err=0
text=
Jan  7 10:36:44 ldap slapd[14646]: conn=204 op=4 BIND anonymous
mech=implicit ssf=0
Jan  7 10:36:44 ldap slapd[14646]: conn=204 op=4 BIND dn="" method=128
Jan  7 10:36:44 ldap slapd[14646]: conn=204 op=4 RESULT tag=97 err=0
text=
Jan  7 10:36:44 ldap slapd[14646]: conn=203 fd=18 closed
Jan  7 10:36:44 ldap slapd[14646]: conn=204 fd=19 closed
Jan  7 10:36:44 ldap slapd[14646]: conn=205 fd=18 ACCEPT from
IP=192.168.33.55:33846 (IP=0.0.0.0:389)
Jan  7 10:36:44 ldap slapd[14646]: conn=205 op=1 BIND dn="" method=128
Jan  7 10:36:44 ldap slapd[14646]: conn=205 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:44 ldap slapd[14646]: conn=205 op=2 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uid=jonesy))"
Jan  7 10:36:44 ldap slapd[14646]: conn=205 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:44 ldap slapd[14646]: conn=205 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=205 op=3 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=shadowAccount)(uid=jonesy))"
Jan  7 10:36:44 ldap slapd[14646]: conn=205 op=3 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire
Jan  7 10:36:44 ldap slapd[14646]: conn=205 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=205 fd=18 closed
Jan  7 10:36:44 ldap slapd[14646]: conn=206 fd=18 ACCEPT from
IP=192.168.33.55:33847 (IP=0.0.0.0:389)
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=1 BIND dn="" method=128
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=2 SRCH
base="dc=my,dc=domain" scope=2 filter="(uid=jonesy)"
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=3 SRCH
base="ou=Group,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixGroup)(|(memberUid=jonesy)(uniqueMember=cn=jonesy,ou=people,dc=my,dc=domain)))"
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=3 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Jan  7 10:36:44 ldap slapd[14646]: <= bdb_equality_candidates:
(uniqueMember) index_param failed (18)
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=3 SEARCH RESULT tag=101
err=0 nentries=7 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=4 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uid=jonesy))"
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=4 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=206 op=5 UNBIND
Jan  7 10:36:44 ldap slapd[14646]: conn=206 fd=18 closed
Jan  7 10:36:44 ldap slapd[14646]: conn=207 fd=18 ACCEPT from
IP=192.168.33.55:33848 (IP=0.0.0.0:389)
Jan  7 10:36:44 ldap slapd[14646]: conn=207 op=1 BIND dn="" method=128
Jan  7 10:36:44 ldap slapd[14646]: conn=207 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:44 ldap slapd[14646]: conn=207 op=2 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Jan  7 10:36:44 ldap slapd[14646]: conn=207 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:44 ldap slapd[14646]: conn=207 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=208 fd=19 ACCEPT from
IP=192.168.33.55:33850 (IP=0.0.0.0:389)
Jan  7 10:36:44 ldap slapd[14646]: conn=208 op=1 BIND dn="" method=128
Jan  7 10:36:44 ldap slapd[14646]: conn=208 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:44 ldap slapd[14646]: conn=208 op=2 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uid=jonesy))"
Jan  7 10:36:44 ldap slapd[14646]: conn=208 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:44 ldap slapd[14646]: conn=208 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=209 fd=20 ACCEPT from
IP=192.168.33.55:33851 (IP=0.0.0.0:389)
Jan  7 10:36:44 ldap slapd[14646]: conn=209 op=1 BIND dn="" method=128
Jan  7 10:36:44 ldap slapd[14646]: conn=209 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:44 ldap slapd[14646]: conn=209 op=2 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Jan  7 10:36:44 ldap slapd[14646]: conn=209 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:44 ldap slapd[14646]: conn=209 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=210 fd=21 ACCEPT from
IP=192.168.33.55:33852 (IP=0.0.0.0:389)
Jan  7 10:36:44 ldap slapd[14646]: conn=210 op=1 BIND dn="" method=128
Jan  7 10:36:44 ldap slapd[14646]: conn=210 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:44 ldap slapd[14646]: conn=210 op=2 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Jan  7 10:36:44 ldap slapd[14646]: conn=210 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:44 ldap slapd[14646]: conn=210 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=210 fd=21 closed
Jan  7 10:36:44 ldap slapd[14646]: conn=211 fd=21 ACCEPT from
IP=192.168.33.55:33853 (IP=0.0.0.0:389)
Jan  7 10:36:44 ldap slapd[14646]: conn=211 op=1 BIND dn="" method=128
Jan  7 10:36:44 ldap slapd[14646]: conn=211 op=1 RESULT tag=97 err=0
text=
Jan  7 10:36:44 ldap slapd[14646]: conn=211 op=2 SRCH
base="ou=People,dc=my,dc=domain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Jan  7 10:36:44 ldap slapd[14646]: conn=211 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jan  7 10:36:44 ldap slapd[14646]: conn=211 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  7 10:36:44 ldap slapd[14646]: conn=211 fd=21 closed
====================================================

As you can see, there's nothing here that looks like it's searching for
the group referenced in the ldap.conf file at all.

Any clues?
brian.

On Tue, 2004-01-06 at 15:30, Bevan C. Bennett wrote:
> Brian Jones wrote:
> > Thanks a lot for the prompt reply. This is, essentially, what I'm trying 
> > to do. However, I'd rather do all the configuration in one place if I can.
> 
> I think the main reason I ended up doing it with pam_access was for a 
> server where I need users to be able to authenticate (through pam_ldap) 
> to other services, but didn't want them logging in directly through ssh.
> 
> IIRC, pam_groupdn will restrict access for all services that reference 
> pam_ldap.
> 
> > My first choice is to do it using pam_groupdn, because then it's only 
> > one file that gets altered (/etc/ldap.conf). I don't really see a reason 
> > for it not to work, unless an RPM was goofed up or my config is wrong, 
> > which is hard to do being that it's ONE key/value pair.
> 
> If I understand correctly, you haven't changed the LDAP server any, and 
> this works on a RH9 box with the same ldap.conf file? Do the pam_ldap 
> entries differ substantially between the two boxes in the relevant 
> /etc/pam.d/* files (probably system-auth)?
> 
> > My second option is to use 'compat' mode and reference a netgroup 
> > (stored in LDAP) in my passwd/shadow files. This doesn't seem to be as 
> > straightforward as I thought it might be. I can see the searches going 
> > by for the netgroup, but the filter isn't being 'OR'd with a uid of any 
> > kind.
> 
> That sounds nasty and kludgy.
> 
> > Your idea is already on the list of stuff that I *can* do if I'm 
> > cornered, but this workaround doesn't address why the initial problem 
> > occurs. Option one was easy in RH 9, option 2 works in RH ES/AS/WS, 
> > option 3 will probably work, but this is horribly inconsistent and gives 
> > the appearance of flakiness. I was hoping not to have to tear open 
> > source rpms and code, but...
> 
> Very true, but it's always good to have options. Why do you say that 
> using pam_access gives the appearance of flakiness? I've found it to be 
> robust on servers running RH7.3 through FC1.
> 
> Let's see if we can narrow down your pam_groupdn problems better. 
> Discussing whether or not pam_groupdn is the best solution to your 
> particular environment is a rather different (although potentially 
> interesting) discussion that we can leave for later.
> 
> -Bevan Bennett
> 