[Date Prev][Date Next] [Chronological] [Thread] [Top]

Strange LDAP searches for time, IP address and system users

To: openldap-technical@openldap.org
Subject: Strange LDAP searches for time, IP address and system users
From: MI <mi.lists.ldap@alma.ch>
Date: Thu, 3 Dec 2015 17:32:41 +0100
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=alma.ch; s=mail20150624; t=1449160362; bh=EgmxlTzDO4vE3RTrrlyyeeFr1or+4buYQdca0qGDmtE=; h=From:Subject:To:Date:From; b=kIXEU4oORTztdewBEcT90x9TnXevW2F5yeU+o9cQvVfFvXT11nCQ7K5wQAMQyMY+E qdtKGcNwwr8C77fFnCscFxtkrlgKbRgFbtpLeenyAmghkyB9POBwI1x+FTjtBzoTR3 Cw0owwPkPPUc5CPqhelcMWimhniWLp0XBvlptTO8=
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0

I see very strange searches in my slapd.log, and wonder what I my have misconfigured.

On every SSH connection (with ssh key, not password) :

Search for the TTY:

slapd[3183]: conn=1000 op=307 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=pts/2))"slapd[3183]: conn=1000 op=307 SRCH attr=uid userPassword uidNumber gidNumber cnhomeDirectory loginShell gecos description objectClass


For the date:

slapd[3183]: conn=1000 op=308 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=2015-12-03))"


The time:

slapd[3183]: conn=1000 op=309 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=16:28))"


The IP:

slapd[3183]: conn=1000 op=310 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=\28192.168.99.206\29))"



(But I don't see "uid=root" when logging in over SSH with a key.)

I wouldn't expect to see a search for "root", since it's a system account, and I usea key, so I would expect LDAP to be completely out of the picture.


However, I do see many searches in the logs for other system accounts:

    filter="(&(objectClass=posixAccount)(uid=www-data))"
    filter="(&(objectClass=posixAccount)(uid=man))"
    filter="(&(objectClass=posixAccount)(uid=root))"
    filter="(&(objectClass=posixAccount)(uid=postfix))"
    filter="(&(objectClass=posixAccount)(uid=debian-spamd))"
    filter="(&(objectClass=posixAccount)(uid=amavis))"
    filter="(&(objectClass=posixAccount)(uid=\2A))"
    ...

Most seem to be triggered by the standard system cron jobs or service restarts etc.

The system is Debian 8.2 "Jessie". The following packages related to ldap or pam areinstalled:


    ldap-utils                        2.4.40+dfsg-1+deb8u1
    libaprutil1-ldap:amd64            1.5.4-1
    libldap-2.4-2:amd64               2.4.40+dfsg-1+deb8u1
    libnss-ldap:amd64                 265-3+b1
    libpam0g:amd64                    1.1.8-3.1
    libpam-ldap:amd64                 184-8.7+b1
    libpam-modules:amd64              1.1.8-3.1
    libpam-modules-bin                1.1.8-3.1
    libpam-runtime                    1.1.8-3.1
    nscd                              2.19-18+deb8u1
    slapd                             2.4.40+dfsg-1+deb8u1

At this point, it's difficult for me to know what may be relevant, so I'm afraid Ihave to paste a lot of stuff here in the hope that it includes some clue for someone...


# egrep 'cache|check' /etc/nscd.conf
    enable-cache        passwd        yes
    check-files         passwd        yes
    enable-cache        group        yes
    check-files         group        yes
    enable-cache        hosts        yes
    check-files         hosts        yes
    enable-cache        services    yes
    check-files         services    yes
    enable-cache        netgroup    yes
    check-files         netgroup    yes

# grep ldap /etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

# listconf /etc/pam_ldap.conf
host 127.0.0.1
base dc=mydomain,dc=lan
ldap_version 3
rootbinddn cn=admin,dc=mydomain,dc=lan
pam_password crypt

# listconf /etc/pam.d/common-auth
auth    [success=2 default=ignore]    pam_unix.so nullok_secure
auth    [success=1 default=ignore]    pam_ldap.so use_first_pass
auth    requisite            pam_deny.so
auth    required            pam_permit.so

# listconf /etc/pam.d/common-account
account    [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so
account    [success=1 default=ignore]    pam_ldap.so
account    requisite            pam_deny.so
account    required            pam_permit.so

# listconf /etc/pam.d/common-password
password    [success=2 default=ignore]    pam_unix.so obscure sha512

password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtoktry_first_pass

password    requisite            pam_deny.so
password    required            pam_permit.so

# listconf /etc/pam.d/common-session
session    [default=1]            pam_permit.so
session    requisite            pam_deny.so
session    required            pam_permit.so
session    required    pam_unix.so
session    optional            pam_ldap.so

My LDAP olcLogLevel is "filter stats sync". Please let me know if the other lines ofthat log may be useful, or if other log levels should be enabled (I tried, but didn'tnotice anything interesting).

Well, if you have read so far, now is the time to tell me that this is all uselessand that I should have posted that other essential config file which I missed ... :-)


Thanks for any help in solving this mystery,

MI

Prev by Date: Re: RE24 testing call (2.4.43)
Next by Date: Re: RE24 testing call (2.4.43)
Index(es):
- Chronological
- Thread