[Bug 562388] [NEW] Authentication failure on successful login when using LDAP authentication

Mike Conigliaro mike at conigliaro.org
Tue Apr 13 17:02:58 BST 2010 

Public bug reported:

Binary package hint: libpam-ldap

I've configured LDAP authentication for my ubuntu 9.10 clients using the
following (recommended?) method:

# /usr/sbin/auth-client-config -p lac_ldap -t nss
# echo libpam-runtime libpam-runtime/profiles multiselect unix, ldap, consolekit | /usr/bin/debconf-set-selections
# /usr/sbin/pam-auth-update --package

Now LDAP authentication works fine, but I see authentication failures
like the following in my logs:

Apr 13 15:35:38 example01 sshd[15860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com  user=mikec
Apr 13 15:35:38 example01 sshd[15860]: Accepted password for mikec from 1.2.3.4 port 49507 ssh2
Apr 13 15:35:38 example01 sshd[15860]: pam_unix(sshd:session): session opened for user mikec by (uid=0)

As you can see, a failure message is always logged even though
authentication was successful. Is this the expected behavior?

I'm not a PAM expert, so I don't completely understand what's happening
in /etc/pam.d/common-auth, but since this only occurs for LDAP users, my
hunch is that local auth is attempted first (which fails and logs the
above error message), then LDAP auth is attempted and succeeds. If
that's the case, is there a way to suppress the failure from the local
auth attempt? This is important for packages like fail2ban which rely on
these log messages. At the moment, it's possible to get locked out of a
machine by having too many *successful* logins.

** Affects: libpam-ldap (Ubuntu)
     Importance: Undecided
         Status: New

** Summary changed:

- Authentication failures on sucessful login when using LDAP authentication
+ Authentication failure on successful login when using LDAP authentication

-- 
Authentication failure on successful login when using LDAP authentication
https://bugs.launchpad.net/bugs/562388
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libpam-ldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list