Authentication failure on successful login when using LDAP authentication

Asked by Mike C on 2010-04-13

Binary package hint: libpam-ldap

I've configured LDAP authentication for my ubuntu 9.10 clients using the following (recommended?) method:

# /usr/sbin/auth-client-config -p lac_ldap -t nss
# echo libpam-runtime libpam-runtime/profiles multiselect unix, ldap, consolekit | /usr/bin/debconf-set-selections
# /usr/sbin/pam-auth-update --package

Now LDAP authentication works fine, but I see authentication failures like the following in my logs:

Apr 13 15:35:38 example01 sshd[15860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=mikec
Apr 13 15:35:38 example01 sshd[15860]: Accepted password for mikec from 1.2.3.4 port 49507 ssh2
Apr 13 15:35:38 example01 sshd[15860]: pam_unix(sshd:session): session opened for user mikec by (uid=0)

As you can see, a failure message is always logged even though authentication was successful. Is this the expected behavior?

I'm not a PAM expert, so I don't completely understand what's happening in /etc/pam.d/common-auth, but since this only occurs for LDAP users, my hunch is that local auth is attempted first (which fails and logs the above error message), then LDAP auth is attempted and succeeds. If that's the case, is there a way to suppress the failure from the local auth attempt? This is important for packages like fail2ban which rely on these log messages. At the moment, it's possible to get locked out of a machine by having too many *successful* logins.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu libpam-ldap Edit question
Assignee:
No assignee Edit question
Last query:
2010-04-13
Last reply:
2010-04-14
Thierry Carrez (ttx) said : #1

Not a bug, rather a question.

Thierry Carrez (ttx) said : #2

From http://kbase.redhat.com/faq/docs/DOC-17374 :

This is expected behavior from pam_unix and the message is normal and harmless.

There is no configuration option within pam_unix to stop logging those messages. The only way to stop logging that message is to configure syslog to ignore messages of priority notice or lower sent to the authpriv facility. Note that this might result in a lot of other useful messages being ignored.

The default pam configuration tries to authenticate a user using pam_unix.so first, then using pam_ldap.so if authentication with pam_unix.so is failed.

If pam can't authenticate a user using pam_unix.so, it logs a message of auth failure and passes control to pam_ldap which authenticates the user successfully.

Can you help with this problem?

Provide an answer of your own, or ask Mike C for more information if necessary.

To post a message you must log in.