Re: PAM_AUTHZ floods Directory Server

Michael Wynne · ‎02-25-2010

Hi,

I am trying to get authorization working with pam_authz. When a user tries to log in to a host via ssh or telnet and they exist in the authorization group for the host, the directory server (CentOS DS - virtually identical to RHDS) gets flooded with queries. All of the queries appear successful. However, the user is unable to log in and an error is logged on the host.

Here are the relevant parts of my configs and error messages (sensitive information removed).

Directory Server access log sample:
[25/Feb/2010:08:51:59 -0800] conn=4984 op=79367 RESULT err=0 tag=101 nentries=1 etime=0
[25/Feb/2010:08:51:59 -0800] conn=4984 op=79368 SRCH base="cn=host,ou=hostgroups,dc=my,dc=domain,dc=com" scope=0 filter="(&(cn=*)(|(member=uid=user,ou=People,dc=my,dc=domain,dc=com)(uniqueMember=uid=user,ou=People,dc=my,dc=domain,dc=com)))" attrs="cn "
[25/Feb/2010:08:51:59 -0800] conn=4984 op=79368 RESULT err=0 tag=101 nentries=1 etime=0
[25/Feb/2010:08:51:59 -0800] conn=4984 op=79369 SRCH base="cn=host,ou=hostgroups,dc=my,dc=domain,dc=com" scope=0 filter="(&(cn=*)(|(member=uid=user,ou=People,dc=my,dc=domain,dc=com)(uniqueMember=uid=user,ou=People,dc=my,dc=domain,dc=com)))" attrs="cn "
[25/Feb/2010:08:51:59 -0800] conn=4984 op=79369 RESULT err=0 tag=101 nentries=1 etime=0
[25/Feb/2010:08:51:59 -0800] conn=4984 op=79370 SRCH base="cn=host,ou=hostgroups,dc=my,dc=domain,dc=com" scope=0 filter="(&(cn=*)(|(member=uid=user,ou=People,dc=my,dc=domain,dc=com)(uniqueMember=uid=user,ou=People,dc=my,dc=domain,dc=com)))" attrs="cn "
[25/Feb/2010:08:51:59 -0800] conn=4984 op=79370 RESULT err=0 tag=101 nentries=1 etime=0

Host syslog.log:
Feb 25 08:52:00 host sshd[20683]: query daemon return failure status 7
Feb 25 08:52:00 host sshd[20683]: PAM_AUTHZ: Result: Encountered process error
Feb 25 08:52:01 host sshd[20683]: error: PAM: Permission denied for user from remotehost.my.domain.com

/etc/opt/ldapux/pam_authz.policy on the host:
allow:unix_local_user
allow:ldap_group:cn=host,ou=hostgroups,dc=my,dc=domain,dc=com
deny:other

Account management portion of /etc/pam.conf on the host:
login account required /usr/lib/security/libpam_authz.1
login account sufficient /usr/lib/security/libpam_ldap.1
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_authz.1
su account sufficient /usr/lib/security/libpam_ldap.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_authz.1
dtlogin account sufficient /usr/lib/security/libpam_ldap.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_authz.1
dtaction account sufficient /usr/lib/security/libpam_ldap.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_authz.1
ftp account sufficient /usr/lib/security/libpam_ldap.1
ftp account required /usr/lib/security/libpam_unix.1
sshd account required /usr/lib/security/libpam_authz.1 debug
sshd account sufficient /usr/lib/security/libpam_ldap.1
sshd account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_authz.1
OTHER account sufficient /usr/lib/security/libpam_ldap.1
OTHER account required /usr/lib/security/libpam_unix.1

/etc/nsswitch.conf on the host:
passwd: files ldap
group: files ldap
hosts: dns files ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: ldap [NOTFOUND=return] files
netgroup: files ldap
automount: files ldap
aliases: files
services: files ldap

I have been unable to get anywhere on this for some time now, so any help is greatly appreciated!

Michael Wynne · ‎02-25-2010

Some additional information...

I am using LDAPUX version B.04.20 on HP-UX 11.11.

The problem seems to be within ldapclientd. It will often crash or sit and eat CPU continuously after this happens.

Running ldapclientd with the -d 511 yields this repeatedly:

[Feb/25/2010 14:11:54 10:pam_authz_request.c:1603:process_pam_authz_ldap_request: _hp_ldap_find_first search_base cn=host,ou=HostGroups,dc=my,dc=domain,dc=com search_scope 0 search_filter (cn=*)
filter_fragment (|(member=uid=user,ou=People,dc=my,dc=domain,dc=com)(uniquemember=uid=user,ou=People,dc=my,dc=domain,dc=com))]

Michael Wynne · ‎02-26-2010

Problem Solved! I eventually got around to switching the default server in the profile to my secondary master and found that it worked. I went through and synced up my primary using my secondary's settings and it started to work with the primary. Eventually I narrowed it down to the idle timeout value, which must be at least 5 seconds. I am still not sure why it was an issue as the connection was never idle - it was continuously executing the same query hundreds or even thousands of times.

I welcome any plausible explanations for this other than a possible bug in CentOS DS 8.1. Anyway, just for the record if anyone else has a similar problem with CentOS DS 8.1 or similar directory server such as 389 DS (aka Fedora DS)/ Red Hat DS you should try increasing the idle timeout to _at least_ 5 seconds (or 0 to disable timeouts) - lower values don't work, I tried them all.

Weltman, Ulf · ‎03-02-2010

Hello Michael. This is a bug in LDAP-UX' pam_authz, and a fix is planned for the next release.
Regarding your workaround, I suspect that with an idle timeout of 5 seconds, you will still hit the error condition if you wait 5 seconds between entering the login name and the password. I would suggest a longer idle timeout in Directory Server, perhaps long enough to match the login timeout.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: PAM_AUTHZ floods Directory Server

PAM_AUTHZ floods Directory Server