← Back to team overview

touch-packages team mailing list archive

[Bug 1386194] [NEW] openLDAP creates persistent connections into universisty LDAP- this is unwanted by university administrators

 

Public bug reported:

openLDAP creates persistent connections into universisty LDAP- this is
unwanted by university administrators.


I have ldap.conf


cat /etc/ldap.conf
###DEBCONF###
##
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
##
## You should use dpkg-reconfigure to configure this file via debconf
##

#
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple \hosts may be specified, each separated by a 
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1
#host ldap.stuba.sk ldap2.stuba.sk
host ldap.stuba.sk 


# The distinguished name of the search base.
base ou=People,dc=stuba,dc=sk
pam_template_login_attribute uid

# Another way to specify your LDAP server is to provide an
#uri ldapi://ldap.stuba.sk ldapi://ldap2.stuba.sk
#uri ldaps://ldap.stuba.sk ldaps://ldap2.stuba.sk

#TLS_REQCERT allow
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

REFERRALS off
TIMEOUT 60
NETWORK_TIMEOUT 60
TIMELIMIT 60


refferrals off
timeout 60
network_timeout 60
timelimit 60
persistent-search off

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn uid=fodrek,ou=People,dc=stuba,dc=sk

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
scope base

# Search timelimit
timelimit 1

# Bind/connect timelimit
bind_timelimit 12


# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

bind_policy soft

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

idle_timelimit 60
debug 99

# Filter to AND with uid=%s
#pam_filter objectclass=account
#pam_filter objectclass=posixAccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
pam_check_host_attr no

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn ou=People,dc=stuba,dc=sk

# Group member attribute
#pam_member_attribute uniquemember
#pam_member_attribute uid

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
#nss_base_passwd	ou=People, 
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd		ou=People,dc=stuba,dc=sk?one
#nss_base_shadow		ou=People,dc=stuba,dc=sk?one
#nss_base_group		ou=People,dc=stuba,dc=sk?one
#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
#nss_base_services	ou=Services,dc=padl,dc=com?one
#nss_base_networks	ou=Networks,dc=padl,dc=com?one
#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute	rfc2307attribute	mapped_attribute
#nss_map_objectclass	rfc2307objectclass	mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
ssl on

# Netscape SDK SSL options
sslpath /etc/ssl/certs

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
#port=636

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
tls_checkpeer no

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/certs/stu_ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
#nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dhcpd,dirmngr,dnsmasq,games,gdm,gnats,hplip,irc,jetty,kdm,kernoops,libuuid,lightdm,list,login,lp,mail,man,messagebus,news,nslcd,ntp,openldap,postfix,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,tftp,usbmux,uucp,whoopsie,www-data
#nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dhcpd,dirmngr,dnsmasq,games,gdm,gnats,hplip,irc,jetty,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,nslcd,ntp,openldap,postfix,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,tftp,usbmux,uucp,whoopsie,www-data
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,debian-spamd,dhcpd,dirmngr,dnsmasq,games,gdm,gnats,hplip,irc,jetty,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,nslcd,ntp,openldap,postfix,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,tftp,usbmux,uucp,uuidd,whoopsie,www-data


and 

cat /etc/pam.d/login
#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
#
# With the default control of this module:
#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
# root will not be prompted for a password on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
# You can change it to a "requisite" module if you think root may mis-type
# her login and should not be prompted for a password in that case. But
# this will leave the system as vulnerable to user enumeration attacks.
#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root on insecure lines), but root passwords may be
# communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without out this it is possible 
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
#session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the message of the day upon succesful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional   pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

auth sufficient 	pam_ldap.so  use_first_pass
#account sufficient 	pam_ldap.so
#password required 	pam_ldap.so

#password  sufficient	pam_ldap.so
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)


#account	[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]	pam_ldap.so 
password	[success=1 default=ignore]	pam_ldap.so try_first_pass
#auth	[success=1 default=ignore]	pam_ldap.so use_first_pass
#session	[success=ok default=ignore]	pam_ldap.so

account         sufficient                      pam_permit.so


cat /etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 
account	[success=1 default=ignore]	pam_ldap.so 
# here's the fallback if no module succeeds
#account	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
account	sufficient			pam_localuser.so 
#account	[default=bad success=ok user_unknown=ignore]	pam_sss.so 
# end of pam-auth-update config


 cat /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session	[default=1]			pam_permit.so
# here's the fallback if no module succeeds
#session	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
#session	required			pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional			pam_umask.so
# and here are more per-package modules (the "Additional" block)
session	required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
session	required	pam_unix.so 
#session	optional			pam_sss.so 
#session	optional			pam_ldap.so 
session	optional	pam_systemd.so 
session	optional	pam_ecryptfs.so unwrap
session	optional			pam_ck_connector.so nox11
# end of pam-auth-update config


cat /etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password	requisite			pam_pwquality.so retry=3
password	[success=3 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
#password	sufficient			pam_sss.so use_authtok
#password	[success=1 user_unknown=ignore default=die]	pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
#password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
#password	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
password	optional	pam_gnome_keyring.so 
password	optional	pam_ecryptfs.so 
# end of pam-auth-update config


Myabe it is may fault to cause unwanted behaviour


I look forward hearing form you

Yours faithfully


Peter Fodrek

ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: ldap-utils 2.4.31-1+nmu2ubuntu11
ProcVersionSignature: Ubuntu 3.16.0-23.31-generic 3.16.4
Uname: Linux 3.16.0-23-generic x86_64
ApportVersion: 2.14.7-0ubuntu8
Architecture: amd64
CurrentDesktop: Unity
Date: Mon Oct 27 15:14:23 2014
InstallationDate: Installed on 2014-09-10 (47 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
SourcePackage: openldap
SystemImageInfo:
 current build number: 0
 device name: ?
 channel: daily
 last update: Unknown
UpgradeStatus: Upgraded to utopic on 2014-10-24 (2 days ago)

** Affects: openldap (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug utopic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1386194

Title:
  openLDAP creates persistent connections into universisty LDAP- this is
  unwanted by university administrators

Status in “openldap” package in Ubuntu:
  New

Bug description:
  openLDAP creates persistent connections into universisty LDAP- this is
  unwanted by university administrators.

  
  I have ldap.conf

  
  cat /etc/ldap.conf
  ###DEBCONF###
  ##
  ## Configuration of this file will be managed by debconf as long as the
  ## first line of the file says '###DEBCONF###'
  ##
  ## You should use dpkg-reconfigure to configure this file via debconf
  ##

  #
  # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
  #
  # This is the configuration file for the LDAP nameservice
  # switch library and the LDAP PAM module.
  #
  # PADL Software
  # http://www.padl.com
  #

  # Your LDAP server. Must be resolvable without using LDAP.
  # Multiple \hosts may be specified, each separated by a 
  # space. How long nss_ldap takes to failover depends on
  # whether your LDAP client library supports configurable
  # network or connect timeouts (see bind_timelimit).
  #host 127.0.0.1
  #host ldap.stuba.sk ldap2.stuba.sk
  host ldap.stuba.sk 

  
  # The distinguished name of the search base.
  base ou=People,dc=stuba,dc=sk
  pam_template_login_attribute uid

  # Another way to specify your LDAP server is to provide an
  #uri ldapi://ldap.stuba.sk ldapi://ldap2.stuba.sk
  #uri ldaps://ldap.stuba.sk ldaps://ldap2.stuba.sk

  #TLS_REQCERT allow
  # Unix Domain Sockets to connect to a local LDAP Server.
  #uri ldap://127.0.0.1/
  #uri ldaps://127.0.0.1/   
  #uri ldapi://%2fvar%2frun%2fldapi_sock/
  # Note: %2f encodes the '/' used as directory separator

  # The LDAP version to use (defaults to 3
  # if supported by client library)
  ldap_version 3

  REFERRALS off
  TIMEOUT 60
  NETWORK_TIMEOUT 60
  TIMELIMIT 60


  
  refferrals off
  timeout 60
  network_timeout 60
  timelimit 60
  persistent-search off

  # The distinguished name to bind to the server with.
  # Optional: default is to bind anonymously.
  #binddn uid=fodrek,ou=People,dc=stuba,dc=sk

  # The credentials to bind with. 
  # Optional: default is no credential.
  #bindpw secret

  # The distinguished name to bind to the server with
  # if the effective user ID is root. Password is
  # stored in /etc/ldap.secret (mode 600)
  #rootbinddn cn=manager,dc=padl,dc=com

  # The port.
  # Optional: default is 389.
  #port 389

  # The search scope.
  #scope sub
  #scope one
  scope base

  # Search timelimit
  timelimit 1

  # Bind/connect timelimit
  bind_timelimit 12

  
  # Reconnect policy: hard (default) will retry connecting to
  # the software with exponential backoff, soft will fail
  # immediately.
  #bind_policy hard

  bind_policy soft

  # Idle timelimit; client will close connections
  # (nss_ldap only) if the server has not been contacted
  # for the number of seconds specified below.
  #idle_timelimit 3600

  idle_timelimit 60
  debug 99

  # Filter to AND with uid=%s
  #pam_filter objectclass=account
  #pam_filter objectclass=posixAccount

  # The user ID attribute (defaults to uid)
  pam_login_attribute uid

  # Search the root DSE for the password policy (works
  # with Netscape Directory Server)
  #pam_lookup_policy yes

  # Check the 'host' attribute for access control
  # Default is no; if set to yes, and user has no
  # value for the host attribute, and pam_ldap is
  # configured for account management (authorization)
  # then the user will not be allowed to login.
  pam_check_host_attr no

  # Check the 'authorizedService' attribute for access
  # control
  # Default is no; if set to yes, and the user has no
  # value for the authorizedService attribute, and
  # pam_ldap is configured for account management
  # (authorization) then the user will not be allowed
  # to login.
  #pam_check_service_attr yes

  # Group to enforce membership of
  #pam_groupdn ou=People,dc=stuba,dc=sk

  # Group member attribute
  #pam_member_attribute uniquemember
  #pam_member_attribute uid

  # Specify a minium or maximum UID number allowed
  #pam_min_uid 0
  #pam_max_uid 0

  # Template login attribute, default template user
  # (can be overriden by value of former attribute
  # in user's entry)
  #pam_login_attribute userPrincipalName
  #pam_template_login_attribute uid
  #pam_template_login nobody

  # HEADS UP: the pam_crypt, pam_nds_passwd,
  # and pam_ad_passwd options are no
  # longer supported.
  #
  # Do not hash the password at all; presume
  # the directory server will do it, if
  # necessary. This is the default.
  pam_password md5

  # Hash password locally; required for University of
  # Michigan LDAP server, and works with Netscape
  # Directory Server if you're using the UNIX-Crypt
  # hash mechanism and not using the NT Synchronization
  # service. 
  #pam_password crypt

  # Remove old password first, then update in
  # cleartext. Necessary for use with Novell
  # Directory Services (NDS)
  #pam_password clear_remove_old
  #pam_password nds

  # RACF is an alias for the above. For use with
  # IBM RACF
  #pam_password racf

  # Update Active Directory password, by
  # creating Unicode password and updating
  # unicodePwd attribute.
  #pam_password ad

  # Use the OpenLDAP password change
  # extended operation to update the password.
  #pam_password exop

  # Redirect users to a URL or somesuch on password
  # changes.
  #pam_password_prohibit_message Please visit http://internal to change your password.

  # RFC2307bis naming contexts
  # Syntax:
  # nss_base_XXX		base?scope?filter
  # where scope is {base,one,sub}
  # and filter is a filter to be &'d with the
  # default filter.
  # You can omit the suffix eg:
  #nss_base_passwd	ou=People, 
  # to append the default base DN but this
  # may incur a small performance impact.
  nss_base_passwd		ou=People,dc=stuba,dc=sk?one
  #nss_base_shadow		ou=People,dc=stuba,dc=sk?one
  #nss_base_group		ou=People,dc=stuba,dc=sk?one
  #nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
  #nss_base_services	ou=Services,dc=padl,dc=com?one
  #nss_base_networks	ou=Networks,dc=padl,dc=com?one
  #nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
  #nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
  #nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
  #nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
  #nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
  #nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
  #nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one

  # attribute/objectclass mapping
  # Syntax:
  #nss_map_attribute	rfc2307attribute	mapped_attribute
  #nss_map_objectclass	rfc2307objectclass	mapped_objectclass

  # configure --enable-nds is no longer supported.
  # NDS mappings
  #nss_map_attribute uniqueMember member

  # Services for UNIX 3.5 mappings
  #nss_map_objectclass posixAccount User
  nss_map_objectclass shadowAccount User
  #nss_map_attribute uid msSFU30Name
  #nss_map_attribute uniqueMember msSFU30PosixMember
  #nss_map_attribute userPassword msSFU30Password
  #nss_map_attribute homeDirectory msSFU30HomeDirectory
  #nss_map_attribute homeDirectory msSFUHomeDirectory
  #nss_map_objectclass posixGroup Group
  #pam_login_attribute msSFU30Name
  #pam_filter objectclass=User
  #pam_password ad

  # configure --enable-mssfu-schema is no longer supported.
  # Services for UNIX 2.0 mappings
  #nss_map_objectclass posixAccount User
  #nss_map_objectclass shadowAccount user
  #nss_map_attribute uid msSFUName
  #nss_map_attribute uniqueMember posixMember
  #nss_map_attribute userPassword msSFUPassword
  #nss_map_attribute homeDirectory msSFUHomeDirectory
  #nss_map_attribute shadowLastChange pwdLastSet
  #nss_map_objectclass posixGroup Group
  #nss_map_attribute cn msSFUName
  #pam_login_attribute msSFUName
  #pam_filter objectclass=User
  #pam_password ad

  # RFC 2307 (AD) mappings
  #nss_map_objectclass posixAccount user
  #nss_map_objectclass shadowAccount user
  #nss_map_attribute uid sAMAccountName
  #nss_map_attribute homeDirectory unixHomeDirectory
  #nss_map_attribute shadowLastChange pwdLastSet
  #nss_map_objectclass posixGroup group
  #nss_map_attribute uniqueMember member
  #pam_login_attribute sAMAccountName
  #pam_filter objectclass=User
  #pam_password ad

  # configure --enable-authpassword is no longer supported
  # AuthPassword mappings
  #nss_map_attribute userPassword authPassword

  # AIX SecureWay mappings
  #nss_map_objectclass posixAccount aixAccount
  #nss_base_passwd ou=aixaccount,?one
  #nss_map_attribute uid userName
  #nss_map_attribute gidNumber gid
  #nss_map_attribute uidNumber uid
  #nss_map_attribute userPassword passwordChar
  #nss_map_objectclass posixGroup aixAccessGroup
  #nss_base_group ou=aixgroup,?one
  #nss_map_attribute cn groupName
  #nss_map_attribute uniqueMember member
  #pam_login_attribute userName
  #pam_filter objectclass=aixAccount
  #pam_password clear

  # Netscape SDK LDAPS
  ssl on

  # Netscape SDK SSL options
  sslpath /etc/ssl/certs

  # OpenLDAP SSL mechanism
  # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
  #ssl start_tls
  #ssl on
  #port=636

  # OpenLDAP SSL options
  # Require and verify server certificate (yes/no)
  # Default is to use libldap's default behavior, which can be configured in
  # /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
  # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
  #tls_checkpeer yes
  tls_checkpeer no

  # CA certificates for server certificate verification
  # At least one of these are required if tls_checkpeer is "yes"
  #tls_cacertfile /etc/ssl/certs/stu_ca.cert
  #tls_cacertdir /etc/ssl/certs

  # Seed the PRNG if /dev/urandom is not provided
  #tls_randfile /var/run/egd-pool

  # SSL cipher suite
  # See man ciphers for syntax
  #tls_ciphers TLSv1

  # Client certificate and key
  # Use these, if your server requires client authentication.
  #tls_cert
  #tls_key

  # Disable SASL security layers. This is needed for AD.
  #sasl_secprops maxssf=0

  # Override the default Kerberos ticket cache location.
  #krb5_ccname FILE:/etc/.ldapcache

  # SASL mechanism for PAM authentication - use is experimental
  # at present and does not support password policy control
  #pam_sasl_mech DIGEST-MD5
  #nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dhcpd,dirmngr,dnsmasq,games,gdm,gnats,hplip,irc,jetty,kdm,kernoops,libuuid,lightdm,list,login,lp,mail,man,messagebus,news,nslcd,ntp,openldap,postfix,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,tftp,usbmux,uucp,whoopsie,www-data
  #nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dhcpd,dirmngr,dnsmasq,games,gdm,gnats,hplip,irc,jetty,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,nslcd,ntp,openldap,postfix,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,tftp,usbmux,uucp,whoopsie,www-data
  nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,debian-spamd,dhcpd,dirmngr,dnsmasq,games,gdm,gnats,hplip,irc,jetty,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,nslcd,ntp,openldap,postfix,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,tftp,usbmux,uucp,uuidd,whoopsie,www-data

  
  and 

  cat /etc/pam.d/login
  #
  # The PAM configuration file for the Shadow `login' service
  #

  # Enforce a minimal delay in case of failure (in microseconds).
  # (Replaces the `FAIL_DELAY' setting from login.defs)
  # Note that other modules may require another minimal delay. (for example,
  # to disable any delay, you should add the nodelay option to pam_unix)
  auth       optional   pam_faildelay.so  delay=3000000

  # Outputs an issue file prior to each login prompt (Replaces the
  # ISSUE_FILE option from login.defs). Uncomment for use
  # auth       required   pam_issue.so issue=/etc/issue

  # Disallows root logins except on tty's listed in /etc/securetty
  # (Replaces the `CONSOLE' setting from login.defs)
  #
  # With the default control of this module:
  #   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
  # root will not be prompted for a password on insecure lines.
  # if an invalid username is entered, a password is prompted (but login
  # will eventually be rejected)
  #
  # You can change it to a "requisite" module if you think root may mis-type
  # her login and should not be prompted for a password in that case. But
  # this will leave the system as vulnerable to user enumeration attacks.
  #
  # You can change it to a "required" module if you think it permits to
  # guess valid user names of your system (invalid user names are considered
  # as possibly being root on insecure lines), but root passwords may be
  # communicated over insecure lines.
  auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

  # Disallows other than root logins when /etc/nologin exists
  # (Replaces the `NOLOGINS_FILE' option from login.defs)
  auth       requisite  pam_nologin.so

  # SELinux needs to be the first session rule. This ensures that any 
  # lingering context has been cleared. Without out this it is possible 
  # that a module could execute code in the wrong domain.
  # When the module is present, "required" would be sufficient (When SELinux
  # is disabled, this returns success.)
  session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

  # This module parses environment configuration file(s)
  # and also allows you to use an extended config
  # file /etc/security/pam_env.conf.
  # 
  # parsing /etc/environment needs "readenv=1"
  session       required   pam_env.so readenv=1
  # locale variables are also kept into /etc/default/locale in etch
  # reading this file *in addition to /etc/environment* does not hurt
  session       required   pam_env.so readenv=1 envfile=/etc/default/locale

  # Standard Un*x authentication.
  @include common-auth

  # This allows certain extra groups to be granted to a user
  # based on things like time of day, tty, service, and user.
  # Please edit /etc/security/group.conf to fit your needs
  # (Replaces the `CONSOLE_GROUPS' option in login.defs)
  auth       optional   pam_group.so

  # Uncomment and edit /etc/security/time.conf if you need to set
  # time restrainst on logins.
  # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
  # as well as /etc/porttime)
  # account    requisite  pam_time.so

  # Uncomment and edit /etc/security/access.conf if you need to
  # set access limits.
  # (Replaces /etc/login.access file)
  # account  required       pam_access.so

  # Sets up user limits according to /etc/security/limits.conf
  # (Replaces the use of /etc/limits in old login)
  #session    required   pam_limits.so

  # Prints the last login info upon succesful login
  # (Replaces the `LASTLOG_ENAB' option from login.defs)
  session    optional   pam_lastlog.so

  # Prints the message of the day upon succesful login.
  # (Replaces the `MOTD_FILE' option in login.defs)
  # This includes a dynamically generated part from /run/motd.dynamic
  # and a static (admin-editable) part from /etc/motd.
  session    optional   pam_motd.so  motd=/run/motd.dynamic noupdate
  session    optional   pam_motd.so

  # Prints the status of the user's mailbox upon succesful login
  # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
  #
  # This also defines the MAIL environment variable
  # However, userdel also needs MAIL_DIR and MAIL_FILE variables
  # in /etc/login.defs to make sure that removing a user 
  # also removes the user's mail spool file.
  # See comments in /etc/login.defs
  session    optional   pam_mail.so standard

  auth sufficient 	pam_ldap.so  use_first_pass
  #account sufficient 	pam_ldap.so
  #password required 	pam_ldap.so

  #password  sufficient	pam_ldap.so
  # Standard Un*x account and session
  @include common-account
  @include common-session
  @include common-password

  # SELinux needs to intervene at login time to ensure that the process
  # starts in the proper default security context. Only sessions which are
  # intended to run in the user's context should be run after this.
  session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
  # When the module is present, "required" would be sufficient (When SELinux
  # is disabled, this returns success.)

  
  #account	[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]	pam_ldap.so 
  password	[success=1 default=ignore]	pam_ldap.so try_first_pass
  #auth	[success=1 default=ignore]	pam_ldap.so use_first_pass
  #session	[success=ok default=ignore]	pam_ldap.so

  account         sufficient                      pam_permit.so

  
  cat /etc/pam.d/common-account
  #
  # /etc/pam.d/common-account - authorization settings common to all services
  #
  # This file is included from other service-specific PAM config files,
  # and should contain a list of the authorization modules that define
  # the central access policy for use on the system.  The default is to
  # only deny service to users whose accounts are expired in /etc/shadow.
  #
  # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
  # To take advantage of this, it is recommended that you configure any
  # local modules either before or after the default block, and use
  # pam-auth-update to manage selection of other modules.  See
  # pam-auth-update(8) for details.
  #

  # here are the per-package modules (the "Primary" block)
  account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 
  account	[success=1 default=ignore]	pam_ldap.so 
  # here's the fallback if no module succeeds
  #account	requisite			pam_deny.so
  # prime the stack with a positive return value if there isn't one already;
  # this avoids us returning an error just because nothing sets a success code
  # since the modules above will each just jump around
  account	required			pam_permit.so
  # and here are more per-package modules (the "Additional" block)
  account	sufficient			pam_localuser.so 
  #account	[default=bad success=ok user_unknown=ignore]	pam_sss.so 
  # end of pam-auth-update config



   cat /etc/pam.d/common-session
  #
  # /etc/pam.d/common-session - session-related modules common to all services
  #
  # This file is included from other service-specific PAM config files,
  # and should contain a list of modules that define tasks to be performed
  # at the start and end of sessions of *any* kind (both interactive and
  # non-interactive).
  #
  # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
  # To take advantage of this, it is recommended that you configure any
  # local modules either before or after the default block, and use
  # pam-auth-update to manage selection of other modules.  See
  # pam-auth-update(8) for details.

  # here are the per-package modules (the "Primary" block)
  session	[default=1]			pam_permit.so
  # here's the fallback if no module succeeds
  #session	requisite			pam_deny.so
  # prime the stack with a positive return value if there isn't one already;
  # this avoids us returning an error just because nothing sets a success code
  # since the modules above will each just jump around
  #session	required			pam_permit.so
  # The pam_umask module will set the umask according to the system default in
  # /etc/login.defs and user settings, solving the problem of different
  # umask settings with different shells, display managers, remote sessions etc.
  # See "man pam_umask".
  session optional			pam_umask.so
  # and here are more per-package modules (the "Additional" block)
  session	required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
  session	required	pam_unix.so 
  #session	optional			pam_sss.so 
  #session	optional			pam_ldap.so 
  session	optional	pam_systemd.so 
  session	optional	pam_ecryptfs.so unwrap
  session	optional			pam_ck_connector.so nox11
  # end of pam-auth-update config


  cat /etc/pam.d/common-password
  #
  # /etc/pam.d/common-password - password-related modules common to all services
  #
  # This file is included from other service-specific PAM config files,
  # and should contain a list of modules that define the services to be
  # used to change user passwords.  The default is pam_unix.

  # Explanation of pam_unix options:
  #
  # The "sha512" option enables salted SHA512 passwords.  Without this option,
  # the default is Unix crypt.  Prior releases used the option "md5".
  #
  # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
  # login.defs.
  #
  # See the pam_unix manpage for other options.

  # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
  # To take advantage of this, it is recommended that you configure any
  # local modules either before or after the default block, and use
  # pam-auth-update to manage selection of other modules.  See
  # pam-auth-update(8) for details.

  # here are the per-package modules (the "Primary" block)
  password	requisite			pam_pwquality.so retry=3
  password	[success=3 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
  #password	sufficient			pam_sss.so use_authtok
  #password	[success=1 user_unknown=ignore default=die]	pam_ldap.so use_authtok try_first_pass
  # here's the fallback if no module succeeds
  #password	requisite			pam_deny.so
  # prime the stack with a positive return value if there isn't one already;
  # this avoids us returning an error just because nothing sets a success code
  # since the modules above will each just jump around
  #password	required			pam_permit.so
  # and here are more per-package modules (the "Additional" block)
  password	optional	pam_gnome_keyring.so 
  password	optional	pam_ecryptfs.so 
  # end of pam-auth-update config


  
  Myabe it is may fault to cause unwanted behaviour

  
  I look forward hearing form you

  Yours faithfully

  
  Peter Fodrek

  ProblemType: Bug
  DistroRelease: Ubuntu 14.10
  Package: ldap-utils 2.4.31-1+nmu2ubuntu11
  ProcVersionSignature: Ubuntu 3.16.0-23.31-generic 3.16.4
  Uname: Linux 3.16.0-23-generic x86_64
  ApportVersion: 2.14.7-0ubuntu8
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Mon Oct 27 15:14:23 2014
  InstallationDate: Installed on 2014-09-10 (47 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
  SourcePackage: openldap
  SystemImageInfo:
   current build number: 0
   device name: ?
   channel: daily
   last update: Unknown
  UpgradeStatus: Upgraded to utopic on 2014-10-24 (2 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1386194/+subscriptions


Follow ups

References