[Date Prev][Date Next] [Chronological] [Thread] [Top]

Strange LDAP searches for time, IP address and system users

I see very strange searches in my slapd.log, and wonder what I my have misconfigured.

On every SSH connection (with ssh key, not password) :

Search for the TTY:

slapd[3183]: conn=1000 op=307 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=pts/2))" slapd[3183]: conn=1000 op=307 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

For the date:

slapd[3183]: conn=1000 op=308 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=2015-12-03))"

The time:

slapd[3183]: conn=1000 op=309 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=16:28))"

The IP:

slapd[3183]: conn=1000 op=310 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=\28192.168.99.206\29))"

(But I don't see "uid=root" when logging in over SSH with a key.)

I wouldn't expect to see a search for "root", since it's a system account, and I use a key, so I would expect LDAP to be completely out of the picture.

However, I do see many searches in the logs for other system accounts:


Most seem to be triggered by the standard system cron jobs or service restarts etc.

The system is Debian 8.2 "Jessie". The following packages related to ldap or pam are installed:

    ldap-utils                        2.4.40+dfsg-1+deb8u1
    libaprutil1-ldap:amd64            1.5.4-1
    libldap-2.4-2:amd64               2.4.40+dfsg-1+deb8u1
    libnss-ldap:amd64                 265-3+b1
    libpam0g:amd64                    1.1.8-3.1
    libpam-ldap:amd64                 184-8.7+b1
    libpam-modules:amd64              1.1.8-3.1
    libpam-modules-bin                1.1.8-3.1
    libpam-runtime                    1.1.8-3.1
    nscd                              2.19-18+deb8u1
    slapd                             2.4.40+dfsg-1+deb8u1

At this point, it's difficult for me to know what may be relevant, so I'm afraid I have to paste a lot of stuff here in the hope that it includes some clue for someone...

# egrep 'cache|check' /etc/nscd.conf
    enable-cache        passwd        yes
    check-files         passwd        yes
    enable-cache        group        yes
    check-files         group        yes
    enable-cache        hosts        yes
    check-files         hosts        yes
    enable-cache        services    yes
    check-files         services    yes
    enable-cache        netgroup    yes
    check-files         netgroup    yes

# grep ldap /etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

# listconf /etc/pam_ldap.conf
base dc=mydomain,dc=lan
ldap_version 3
rootbinddn cn=admin,dc=mydomain,dc=lan
pam_password crypt

# listconf /etc/pam.d/common-auth
auth    [success=2 default=ignore]    pam_unix.so nullok_secure
auth    [success=1 default=ignore]    pam_ldap.so use_first_pass
auth    requisite            pam_deny.so
auth    required            pam_permit.so

# listconf /etc/pam.d/common-account
account    [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so
account    [success=1 default=ignore]    pam_ldap.so
account    requisite            pam_deny.so
account    required            pam_permit.so

# listconf /etc/pam.d/common-password
password    [success=2 default=ignore]    pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password    requisite            pam_deny.so
password    required            pam_permit.so

# listconf /etc/pam.d/common-session
session    [default=1]            pam_permit.so
session    requisite            pam_deny.so
session    required            pam_permit.so
session    required    pam_unix.so
session    optional            pam_ldap.so

My LDAP olcLogLevel is "filter stats sync". Please let me know if the other lines of that log may be useful, or if other log levels should be enabled (I tried, but didn't notice anything interesting).

Well, if you have read so far, now is the time to tell me that this is all useless and that I should have posted that other essential config file which I missed ... :-)

Thanks for any help in solving this mystery,