I see very strange searches in my slapd.log, and wonder what I my have misconfigured.
On every SSH connection (with ssh key, not password) :
Search for the TTY:
slapd[3183]: conn=1000 op=307 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=pts/2))" slapd[3183]: conn=1000 op=307 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
For the date:
slapd[3183]: conn=1000 op=308 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=2015-12-03))"
The time:
slapd[3183]: conn=1000 op=309 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=16:28))"
The IP:
slapd[3183]: conn=1000 op=310 SRCH base="dc=mydomain,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=\28192.168.99.206\29))"
(But I don't see "uid=root" when logging in over SSH with a key.)
I wouldn't expect to see a search for "root", since it's a system account, and I use a key, so I would expect LDAP to be completely out of the picture.
However, I do see many searches in the logs for other system accounts:
filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=man))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=debian-spamd))" filter="(&(objectClass=posixAccount)(uid=amavis))" filter="(&(objectClass=posixAccount)(uid=\2A))" ...
Most seem to be triggered by the standard system cron jobs or service restarts etc.
The system is Debian 8.2 "Jessie". The following packages related to ldap or pam are installed:
ldap-utils 2.4.40+dfsg-1+deb8u1 libaprutil1-ldap:amd64 1.5.4-1 libldap-2.4-2:amd64 2.4.40+dfsg-1+deb8u1 libnss-ldap:amd64 265-3+b1 libpam0g:amd64 1.1.8-3.1 libpam-ldap:amd64 184-8.7+b1 libpam-modules:amd64 1.1.8-3.1 libpam-modules-bin 1.1.8-3.1 libpam-runtime 1.1.8-3.1 nscd 2.19-18+deb8u1 slapd 2.4.40+dfsg-1+deb8u1
At this point, it's difficult for me to know what may be relevant, so I'm afraid I have to paste a lot of stuff here in the hope that it includes some clue for someone...
# egrep 'cache|check' /etc/nscd.conf enable-cache passwd yes check-files passwd yes enable-cache group yes check-files group yes enable-cache hosts yes check-files hosts yes enable-cache services yes check-files services yes enable-cache netgroup yes check-files netgroup yes
# grep ldap /etc/nsswitch.conf passwd: compat ldap group: compat ldap shadow: compat ldap
# listconf /etc/pam_ldap.conf host 127.0.0.1 base dc=mydomain,dc=lan ldap_version 3 rootbinddn cn=admin,dc=mydomain,dc=lan pam_password crypt
# listconf /etc/pam.d/common-auth auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so
# listconf /etc/pam.d/common-account account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so
# listconf /etc/pam.d/common-password password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so
# listconf /etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_ldap.so
My LDAP olcLogLevel is "filter stats sync". Please let me know if the other lines of that log may be useful, or if other log levels should be enabled (I tried, but didn't notice anything interesting).
Well, if you have read so far, now is the time to tell me that this is all useless and that I should have posted that other essential config file which I missed ... :-)
Thanks for any help in solving this mystery,
MI
openldap-technical@openldap.org
-
MI