hi-
i'm using libpam-ldap 184 courtesy of debian testing, against openldap
2.4.11 (on the same computer in this example), and noticed something
that seemed odd to me. it appears that if specified, the pam_filter
value in the config file is getting duplicated when the actual ldap
search is performed.
with no value for pam_filter, i see the following when a user logs in:
slapd[1895]: conn=3156 op=2 SRCH base="dc=example,dc=com" scope=2
deref=0 filter="(&(objectClass=posixAccount)(uid=someuser))"
if i specify what would appear to be the default value for pam_filter
explicitly in the config (e.g. pam_filter objectClass=posixAccount), i
see the following:
slapd[1895]: conn=3153 op=1 SRCH base="dc=example,dc=com" scope=2
deref=0 filter="(&(objectClass=posixAccount)(objectClass=posixAccount)
(uid=someuser))"
another example:
pam_filter &(objectClass=posixAccount)(objectClass=shadowAccount))(|
(memberOf
=cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=example,dc=com)
slapd[1895]: conn=3161 op=1 SRCH base="dc=example,dc=com" scope=2
deref=0 filter="(&(&(objectClass=posixAccount)
(objectClass=shadowAccount))(|
(memberOf
=
cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=example,dc=com))
(&(objectClass=posixAccount)(objectClass=shadowAccount))(|
(memberOf
=
cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=example,dc=com))
(uid=someuser))"
i experimented a bit with various syntaxes for the pam_filter value,
but wasn't successful in suppressing the duplication.
i see this mentioned here:
http://www.nabble.com/Solaris-10-ts4958892.html
- but not much discussion.
is this normal?
thanks
-ben
