Home / server / Questions / 454625
Accepted
Andrey Sapegin
Asked: 2012-12-04 09:00:14 +0800 CST

pam_ldap.so before pam_unix.so? Is it ever possible?

  • 772

we have a couple of servers with PAM+LDAP.

The configuration is standard (see http://arthurdejong.org/nss-pam-ldapd/setup or http://wiki.debian.org/LDAP/PAM). For example, /etc/pam.d/common-auth contains:

auth sufficient pam_unix.so nullok_secure
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

And, of course, it works for both ldap and local users. But every login goes first to pam_unix.so, fails, and only then tries pam_ldap.so successfully. As a result, we have a well-known failure message for every single ldap user login:

pam_unix(<some_service>:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<some_host>  user=<some_user>

I have up to 60000 of such log messages per day and I want to change the configuration so, that PAM will try ldap authentication first, and only if it fails - try pam_unix.so (I think it can improve the i/o performance of the server). But if I change common-auth to the following:

auth sufficient pam_ldap.so use_first_pass
auth sufficient pam_unix.so nullok_secure
auth required pam_deny.so

Then I simply can't login anymore with local (non-ldap) user (e.g., via ssh).

Does somebody know the right configuration? Why Debian and nss-pam-ldapd have pam_unix.so at first by default? Is there really no way to change it?

Thank you in advance.

P.S. I don't want to disable logs, but want to set ldap authentication on the first place.

unix

4 Answers

  1. If local and network users are in separate uid ranges (which is a good idea), you may add a line like this one (supposing local users are in range 0-4999):

    auth [success=1 default=ignore] pam_succeed_if.so uid >= 5000 quiet

    before the pam_unix.so line. It will pass 1 line if uid >= 4999. It will go directly to pam_ldap.so.

    And you have to change pam_ldap.so use_first_pass to pam_ldap.so or pam_ldap.so try_first_pass if you don't have a line that ask for the password before pam_ldap.so.

    I'd test with :

    auth [success=1 default=ignore] pam_succeed_if.so uid >= 4999 quiet
auth sufficient pam_unix.so nullok_secure
auth requisite pam_succeed_if.so uid >= 4999 quiet
auth sufficient pam_ldap.so
auth required pam_deny.so
    • 1
  2. Best Answer

    hayalci answered it in the comment:

    auth sufficient pam_ldap.so
auth sufficient pam_unix.so nullok_secure try_first_pass
auth required pam_deny.so
    • 1

  3. Your: 

    auth sufficient pam_unix.so nullok_secure  
auth requisite pam_succeed_if.so uid >= 1000 quiet  
auth sufficient pam_ldap.so use_first_pass  
auth required pam_deny.so

    Change to: (use_first_pass means use the password from the preceding module, which is pam_ldap.so) 

    auth sufficient pam_ldap.so  
auth requisite pam_succeed_if.so uid >= 1000 quiet  
auth sufficient pam_unix.so use_first_pass nullok_secure  
auth required pam_deny.so

    Disavantage (for hpux): If your ldap server hang (sync attack; see https://fedorahosted.org/389/ticket/47554 ) your client will hang as well, it happens for HPUX servers (not linux and aix; hpux process named ldapclientd). It means all login (even as root from ILO/MP) is blocked. Solution is reboot the server :-(. So I prefer pam_unix before pam_ldap on hpux

    • 0

  4. I would like to say this solution worked for me! I was having the same issue using free-ipa, and using this setup in my /etc/pam.d/system-auth file avoided the extra "authentication failure" errors:

    auth        required      pam_env.so
auth        sufficient    pam_sss.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so
    • -2