'[pamldap] bind_timelimit?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] bind_timelimit?
From:       Josh Lothian <lothian () cs ! utk ! edu>
Date:       2005-06-20 18:05:21
Message-ID: 20050620180521.GA18892 () woodchuck ! cs ! utk ! edu
[Download RAW message or body]

Hey all,

I'm using openldap 2.2.26 as a server, and redhat ws 3 with their
pam_ldap.  Can't quite figure out their version, but I'm getting the
same issue with pam_ldap-176 from another box.

From what I can make out, pam_ldap isn't respecting the bind_timelimit
setting at all.  On the client I get:

<snip>
Jun 20 14:01:18 client sshd(pam_unix)[4205]: check pass; user unknown
Jun 20 14:01:18 client sshd(pam_unix)[4205]: authentication failure; logname= uid=0 \
                euid=0 tty=NODEVssh ruser= rhost=heimdall.ccs.ornl.gov
Jun 20 14:01:28 client sshd[4205]: pam_ldap: ldap_result Timed out
</snip>

and the server sees:
<snip>
Jun 20 14:01:18 server slapd[1436]: conn=51 op=1 BIND dn="" method=128
Jun 20 14:01:18 server slapd[1436]: conn=51 op=1 RESULT tag=97 err=0 text=
Jun 20 14:01:18 server slapd[1436]: conn=51 op=2 SRCH base="dc=my,dc=org" scope=2 \
                deref=0 filter="(uid=me)"
Jun 20 14:01:18 server slapd[1436]: conn=51 op=2 SEARCH RESULT tag=101 err=0 \
                nentries=1 text=
Jun 20 14:01:18 server slapd[1436]: conn=51 op=3 BIND \
                dn="uid=me,ou=People,dc=my,dc=org" method=128
Jun 20 14:01:28 server slapd[1436]: connection_input: conn=51 deferring operation: \
                binding
Jun 20 14:01:33 server slapd[1436]: conn=51 op=3 BIND \
                dn="uid=me,ou=People,dc=my,dc=org" mech=SIMPLE ssf=0
Jun 20 14:01:33 server slapd[1436]: conn=51 op=3 RESULT tag=97 err=0 text=
Jun 20 14:01:33 server slapd[1436]: conn=51 op=4 BIND anonymous mech=implicit ssf=0
Jun 20 14:01:33 server slapd[1436]: conn=51 op=4 BIND dn="" method=128
Jun 20 14:01:33 server slapd[1436]: conn=51 op=4 RESULT tag=97 err=0 text=
</snip>

But, in my ldap.conf for pam_ldap:
<snip>
bind_timelimit 120
</snip>

And just to be safe, in the ldap.conf for openldap:
<snip>
TIMELIMIT 120
</snip>

Unfortunately we're doing some weird authentication in the backend which
is currently taking longer than 10 seconds to complete successfully,
causing these problems.  Any idea why pam_ldap is apparently not
respecting the bind timelimit?

thanks

-jkl


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic