[Bug 951343] Re: authentication fails silently with long pam_authz_search filter

[Chris J Arges]

This bug originally affected oneiric, and also affects precise. It has
been fixed in upstream and is currently in quantal. This patch does NOT
apply to lucid. I have added my bzr branch of the package with the fixes
in this bug so that they can be merged as an SRU. Thanks

** Also affects: nss-pam-ldapd (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Tags added: oneiric precise

** Changed in: nss-pam-ldapd (Ubuntu Precise)
     Assignee: (unassigned) => Chris J Arges (christopherarges)

** Changed in: nss-pam-ldapd (Ubuntu Oneiric)
   Importance: Undecided => Medium

** Changed in: nss-pam-ldapd (Ubuntu Precise)
   Importance: Undecided => Medium

** Changed in: nss-pam-ldapd (Ubuntu Oneiric)
       Status: New => In Progress

** Changed in: nss-pam-ldapd (Ubuntu Precise)
       Status: New => In Progress

** Branch linked: lp:~christopherarges/ubuntu/oneiric/nss-pam-ldapd/nss-
pam-ldapd

** Branch linked: lp:~christopherarges/ubuntu/precise/nss-pam-ldapd/nss-
pam-ldapd

** Description changed:

- Linux clients that use ldap authentication with nslcd and a long
- pam_authz_search filter will see authentication fail silently
+ [Impact]
+ Linux clients that use ldap authentication with nslcd and a long 
pam_authz_search filter will see authentication fail silently
  
  $ lsb_release -rd
  Description:  Ubuntu 11.10
  Release:      11.10
  
  version:
  nss-pam-ldapd-0.7.13
  
  expected:
- Logging to indicate that the max filter length had been exceeded. 
+ Logging to indicate that the max filter length had been exceeded.
  
  actual:
  authentication fails silently
  
  workaround:
  Increase max filter length. char_filter_buffer in pam.c can be increased to 
4096 bytes allowing for a longer search filter
  
+ [Test Case]
  reproduction steps:
  
  modify entry for 127.0.1.1 in /etc/hosts so the example.com dc is used by 
slapd
  EX:
  x.x.x.x       server1
  change to:
  x.x.x.x       server1.example.com     server1
  
  apt-get install nslcd # set search base "dc=example,dc=com". then select all 
for services use ldap lookups when configuring libnss-ldapd.
  apt-get install slapd
  dpkg-reconfigure slapd # dns name "example.com"
  apt-get install migrationtools
  
  turn on ldap authentication using pam-auth-update
  
  stop nslcd and slapd. We'll start them in debug mode
  
  /etc/init.d/nslcd stop
  /etc/init.d/slapd stop
  
  migrate users to ldap. edit /etc/migrationtools/migrate_common.ph and change:
  $DEFAULT_MAIL_DOMAIN = "example.com";
  $DEFAULT_BASE = "dc=example,dc=com";
  
  then run commands to create ldif exports of group and passwd
  /usr/share/migrationtools/migrate_group.pl /etc/group ~/group.ldif
  /usr/share/migrationtools/migrate_passwd.pl /etc/passwd ~/passwd.ldif
  
  edit ~/people_group.ldif adding contents:
  dn: ou=People, dc=example, dc=com
  ou: People
  objectclass: organizationalUnit
  
  dn: ou=Group, dc=example, dc=com
  ou: Group
  objectclass: organizationalUnit
  
  import data into ldap:
  ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/people_group.ldif
  ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/group.ldif
  ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/passwd.ldif
  
  edit /etc/nslcd.conf adding pam_authz_search filter
  pam_authz_search 
(&(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount)(objectClass=posixAccount))
  
  open 2 new terminals and become root
  
  in one terminal run nslcd in debug mode:
  nslcd -d
  
  in second terminal run slapd in debug mode:
  slapd -d -1
  
  in your original terminal attempt to sudo to a user other than root and
  watch the debug output in the slapd and nslcd terminals:
  
  sudo su ubuntu
  
  look for output in nslcd terminal "DEBUG: trying pam_authz_search" in
  nslcd terminal indicating filter is being used
  
  increase search string beyond 1024 buffer and note that we're no longer
  seeing "Trying pam_authz_search" in the nslcd output and that
  authentication fails silently
+ 
+ [Regression Potential]
+ This just increases the buffer size from 1024 to 4096, it is already applied 
in Quantal, and this SRU simply increases this buffer size.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/951343

Title:
  authentication fails silently with long pam_authz_search filter

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/951343/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs