Bug in account tracking (LFD)?

[shaneau]

We use a central LDAP server for authentication on our servers and we've been getting these errors for a while.

Code: Select all

Dec  1 17:27:03 server cessing: nss_ldap: could not search LDAP server - Server is unavailable
Dec  1 17:29:03 server cessing: nss_ldap: could not get LDAP result - Can't contact LDAP server
Dec  1 17:29:03 server cessing: nss_ldap: could not get LDAP result - Can't contact LDAP server
Dec  1 17:30:10 server cessing: nss_ldap: could not get LDAP result - Can't contact LDAP server
Dec  1 17:30:10 server cessing: nss_ldap: could not search LDAP server - Server is unavailable
Dec  1 17:32:26 server cessing: nss_ldap: could not get LDAP result - Can't contact LDAP server
Dec  1 17:32:26 server cessing: nss_ldap: could not get LDAP result - Can't contact LDAP server
Dec  1 17:33:34 server cessing: nss_ldap: could not get LDAP result - Can't contact LDAP server
Dec  1 17:33:34 server cessing: nss_ldap: could not search LDAP server - Server is unavailable

After a fair bit of troubleshooting we found the cause of this to be from the LFD script during a while loop for the account tracking part (line 971 of lfd.pl). In our config we have AT_ALERT set to 2 (enable this feature only for accounts with uid 0 (e.g. root)). It seems like this while loop loops through and gets every single account's information using the getpwent function even though root is the first account it finds. This is flooding the LDAP server queries which eventually gives us the errors above.

If AT_ALERT is set to 2 and the script finds an account with a uid of 0 shouldn't the loop just end? It seems unnecessary to keep looping through the rest of the accounts.

Also, I'm not sure why LFD is logging only part of the string of line 843 (lfd.pl) to /var/log/messages ("cessing" rather than "lfd - processing"), this made it pretty hard to track down what was logging these errors.

Edit: I forgot to mention, we are using the latest version of CSF - v5.12.

[chirpy]

It has to iterate through all the accounts incase there is more than one superuser account, so it is working as it is described. I'll look into adding a third value to the option to only check the root account itself and ignore any other superuser accounts that might exist.

[shaneau]

Thanks chirpy.

[shaneau]

I just noticed the new option "3" for AT_ALERT in v5.13. Thank you very much for getting this in there so quickly!