Re: PAM Pass through authentication only one threaded

Jan Tomasek <jan@xxxxxxxxxx> · Mon, 04 Nov 2013 17:00:35 +0100

On 11/04/2013 04:12 PM, Rich Megginson wrote:
Looks like you do not have the right debuginfo packages installed. But
there may be enough information in the stack trace anyway.

Your pam script is waiting:
Thread 11 (Thread 0x7f60c97ea700 (LWP 10146)):
#0  0x00007f60f0b4209d in waitpid () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x00007f60e033f2c1 in ?? () from /lib/security/pam_script.so
No symbol table info available.
#2  0x00007f60e033f68a in pam_sm_authenticate () from
/lib/security/pam_script.so
No symbol table info available.
#3  0x00007f60e8aa2cee in ?? () from /lib64/libpam.so.0
No symbol table info available.
#4  0x00007f60e8aa2600 in pam_authenticate () from /lib64/libpam.so.0
No symbol table info available.
#5  0x00007f60e8cb1e24 in ?? () from
/usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so
No symbol table info available.
#6  0x00007f60e8cb22ca in pam_passthru_do_pam_auth () from
/usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so
No symbol table info available.

It holds the lock in pam_passthru_do_pam_auth which causes all of the
other threads to block.

Why is the script not exiting?

It hangs within my perl script (attached). Debug output from script:

Nov  4 18:51:36 pdap pam_script_auth[12278]: PAM env: PAM_RUSER= 
PAM_SERVICE=ldapserver PAM_TYPE=auth 
PAM_USER=uid=semik2,ou=People,dc=perun-shadow,dc=cesnet,dc=cz 
PAM_AUTHTOK=*hidden* PAM_TTY= PAM_OLDAUTHTOK= PAM_RHOST=
Nov  4 18:51:36 pdap pam_script_auth[12278]: PAM new
Nov  4 18:51:36 pdap pam_script_auth[12278]: PAM bind: start

Script opens anonymous connection into LDAP server and tries to search 
subentries of user which is trying to bind.

In access log I see:

> ...
[04/Nov/2013:18:51:36 +0300] conn=146 op=0 BIND dn="uid=semik14,ou=People,dc=perun-shadow,dc=cesnet,dc=cz" method=128 version=3
[04/Nov/2013:18:51:36 +0300] conn=136 op=0 BIND dn="uid=semik26,ou=People,dc=perun-shadow,dc=cesnet,dc=cz" method=128 version=3
[04/Nov/2013:18:51:36 +0300] conn=124 op=0 BIND dn="uid=semik24,ou=People,dc=perun-shadow,dc=cesnet,dc=cz" method=128 version=3
[04/Nov/2013:18:51:36 +0300] conn=137 op=0 BIND dn="uid=semik23,ou=People,dc=perun-shadow,dc=cesnet,dc=cz" method=128 version=3
[04/Nov/2013:18:51:36 +0300] conn=144 op=0 BIND dn="uid=semik15,ou=People,dc=perun-shadow,dc=cesnet,dc=cz" method=128 version=3
[04/Nov/2013:18:51:36 +0300] conn=143 op=0 BIND dn="uid=semik30,ou=People,dc=perun-shadow,dc=cesnet,dc=cz" method=128 version=3
[04/Nov/2013:18:51:36 +0300] conn=151 fd=95 slot=95 connection from 127.0.0.1 to 127.0.0.1

There is 30 binds to semik<1-30> and it ends with connection from/to 
localhost. Silence after that.

Inside of script it succesfully create connection and hangs on anonymous 
bind. This call never complete. Any idea? Is there some limit max 30 
binding connections at once? Or something like that?

--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
#!/usr/bin/perl -w

use strict;
use Net::LDAPS;
use Net::LDAP;
use Net::LDAP::Constant qw(LDAP_SUCCESS);
use Sys::Syslog qw(:standard :macros);
use Net::LDAP::Util qw(escape_filter_value);

my $prg_name = $0;
$prg_name =~ s/.*\///;

my $ldap_host = 'localhost';
my $ldap_port = 389;

my $pam_user = 'PAM_USER';
my $pam_type = 'PAM_TYPE';
my $pam_password = 'PAM_AUTHTOK';

sub syslog_escape {
  my $str = shift;
  my @chr = split(//, $str);

  for(my $i=0; $i<@chr; $i++) {
    if (ord($chr[$i])>127) {
      $chr[$i] = sprintf('\0x%X', ord($chr[$i]));
    };
  };

  return join('', @chr);
};

sub logger {
  my $priority = shift;
  my $msg = shift;

  openlog($prg_name, 'pid', LOG_LOCAL0);
  syslog($priority, syslog_escape($msg));
  closelog;
};

sub local_die {
  logger(LOG_ERR, @_);
  die;
};

sub log_pam_env {
  my @out;

  foreach my $key (keys %ENV) {
    next unless ($key =~ /^PAM_/);

    if ($key eq 'PAM_AUTHTOK') {
      if (exists $ENV{$key}) {
	if ($ENV{$pam_password} eq '') {
	  push @out, "$key=";
        } else {
	  push @out, "$key=*hidden*" ;
	};
      };
    } else {
      push @out, "$key=".$ENV{$key};
    };
  };

  logger(LOG_ERR, 'PAM env: '.join(' ', @out));
};

# Log all PAM_* env variables we got from LDAP server
log_pam_env();

logger(LOG_ERR, 'PAM new');
my $ldaps = Net::LDAP->new($ldap_host,
			   port => $ldap_port) or die "$@";

logger(LOG_ERR, 'PAM bind: start');
my $conn = $ldaps->bind;    # an anonymous bind
logger(LOG_ERR, 'PAM bind: finished');

unless ($ENV{$pam_user}) {
  local_die "Missing $pam_user in environment";
};

unless ($ENV{$pam_type}) {
  local_die "Missing $pam_type in environment";
};

unless ($ENV{$pam_password}) {
  if ($ENV{$pam_type} eq 'auth') {
    local_die "Missing $pam_password in environment";
  };
};

my $filter = '(objectClass=appPassword)';
if ($ENV{$pam_type} eq 'auth') {
  $filter = "(&$filter(altUserPassword=".escape_filter_value($ENV{$pam_password})."))";
};
logger(LOG_ERR, $filter);
logger(LOG_ERR, 'PAM search');
my $mesg = $ldaps->search( # perform a search
			  base   => $ENV{$pam_user},
			  filter => $filter,
			 );

if ($mesg->code == LDAP_SUCCESS) {
  foreach my $entry ($mesg->entries) {
    # todo pridat popisku hesla ktera matchla
    logger(LOG_ERR, 'Matched: '.$entry->dn);
    exit 0;
  };
  local_die('Invalid password.');
} else {
  local_die $mesg->error;
};

# K tomuhle bychom se nikdy nemeli dostat
local_die('This should not happen.');
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users