Ldap authentication issues.
I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 I can succesfully search the ldap with this user binding to the ldap ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=chocolate,dc=lan> (default) with scope subtree # filter: (uid=william) # requesting: ALL # # william, Admin, chocolate.lan dn: uid=william,ou=Admin,dc=chocolate,dc=lan uid: william cn: william objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top loginShell: /bin/bash uidNumber: 10000 gidNumber: 10000 homeDirectory: /home/william userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVT E= gecos: William Brown,,,, description: William Brown shadowLastChange: 1 shadowMax: 0 shadowExpire: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Slapd when trying to authenticate shows this. /usr/local/libexec/slapd -4 -d 256 slapd starting conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389) conn=0 op=0 BIND dn="" method=128 conn=0 op=0 RESULT tag=97 err=0 text= connection_input: conn=0 deferring operation: binding conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))" conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))" conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=0 fd=10 closed (connection lost) conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389) conn=1 op=0 BIND dn="" method=128 conn=1 op=0 RESULT tag=97 err=0 text= connection_input: conn=1 deferring operation: binding conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389) conn=2 op=0 BIND dn="" method=128 conn=2 op=0 RESULT tag=97 err=0 text= connection_input: conn=2 deferring operation: binding conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 closed (connection lost) conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389) conn=3 op=0 BIND dn="" method=128 conn=3 op=0 RESULT tag=97 err=0 text= connection_input: conn=3 deferring operation: binding conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 fd=12 closed (connection lost) conn=1 fd=10 closed (connection lost) Here is my /etc/ldap.conf base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.srv.chocolate.lan ldap_version 3 rootbinddn cn=Manager,dc=chocolate,dc=lan scope one timelimit 3 bind_timelimit 3 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr no pam_member_attribute memberuid pam_password exop nss_reconnect_tries 4 # number of times to double the sleep time nss_reconnect_sleeptime 1 # initial sleep value nss_reconnect_maxsleeptime 16 # max sleep value to cap at nss_reconnect_maxconntries 2 # how many tries before sleeping nss_base_passwd ou=Admin,dc=chocolate,dc=lan?one nss_base_passwd ou=People,dc=chocolate,dc=lan?one nss_base_shadow ou=Admin,dc=chocolate,dc=lan?one nss_base_shadow ou=People,dc=chocolate,dc=lan?one nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?one nss_base_group ou=Marvin,ou=Group,dc=chocolate,dc=lan?one ssl off Here is /etc/openldap/slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_bdb access to attrs=userPassword by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write by anonymous auth by self write by * none access to * by self write by users read database bdb suffix "dc=chocolate,dc=lan" rootdn "cn=Manager,dc=chocolate,dc=lan" rootpw {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm directory /var/db/openldap-data index objectClass eq index uid eq password-hash {SSHA} Here is the /etc/openldap/ldap.conf from both the client and server BASE dc=chocolate,dc=lan URI ldap://ldap.srv.chocolate.lan Any help with this would be greatly appreciated William |
Ldap authentication issues.
On 05/03/2010 09:41 AM, Indexer wrote:
> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log > > May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 > > I can succesfully search the ldap with this user binding to the ldap > > ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=chocolate,dc=lan> (default) with scope subtree > # filter: (uid=william) > # requesting: ALL > # > > # william, Admin, chocolate.lan > dn: uid=william,ou=Admin,dc=chocolate,dc=lan > uid: william > cn: william > objectClass: account > objectClass: posixAccount > objectClass: shadowAccount > objectClass: top > loginShell: /bin/bash > uidNumber: 10000 > gidNumber: 10000 > homeDirectory: /home/william > userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVT E= > gecos: William Brown,,,, > description: William Brown > shadowLastChange: 1 > shadowMax: 0 > shadowExpire: 0 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > Slapd when trying to authenticate shows this. > > /usr/local/libexec/slapd -4 -d 256 > > slapd starting > conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389) > conn=0 op=0 BIND dn="" method=128 > conn=0 op=0 RESULT tag=97 err=0 text= > connection_input: conn=0 deferring operation: binding > conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))" > conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber > conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))" > conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber > conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= > conn=0 fd=10 closed (connection lost) > conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389) > conn=1 op=0 BIND dn="" method=128 > conn=1 op=0 RESULT tag=97 err=0 text= > connection_input: conn=1 deferring operation: binding > conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " > conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire > <= bdb_equality_candidates: (uid) not indexed > conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389) > conn=2 op=0 BIND dn="" method=128 > conn=2 op=0 RESULT tag=97 err=0 text= > connection_input: conn=2 deferring operation: binding > conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " > conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire > <= bdb_equality_candidates: (uid) not indexed > conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " > conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire > <= bdb_equality_candidates: (uid) not indexed > conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=2 fd=12 closed (connection lost) > conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389) > conn=3 op=0 BIND dn="" method=128 > conn=3 op=0 RESULT tag=97 err=0 text= > connection_input: conn=3 deferring operation: binding > conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " > conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire > <= bdb_equality_candidates: (uid) not indexed > conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " > conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire > <= bdb_equality_candidates: (uid) not indexed > conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=3 fd=12 closed (connection lost) > conn=1 fd=10 closed (connection lost) > > > Here is my /etc/ldap.conf > base dc=chocolate,dc=lan > suffix dc=chocolate,dc=lan > uri ldap://ldap.srv.chocolate.lan > ldap_version 3 > rootbinddn cn=Manager,dc=chocolate,dc=lan > scope one > timelimit 3 > bind_timelimit 3 > bind_policy soft > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_check_host_attr no > pam_member_attribute memberuid > pam_password exop > nss_reconnect_tries 4 # number of times to double the sleep time > nss_reconnect_sleeptime 1 # initial sleep value > nss_reconnect_maxsleeptime 16 # max sleep value to cap at > nss_reconnect_maxconntries 2 # how many tries before sleeping > nss_base_passwd ou=Admin,dc=chocolate,dc=lan?one > nss_base_passwd ou=People,dc=chocolate,dc=lan?one > nss_base_shadow ou=Admin,dc=chocolate,dc=lan?one > nss_base_shadow ou=People,dc=chocolate,dc=lan?one > nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?one > nss_base_group ou=Marvin,ou=Group,dc=chocolate,dc=lan?one > ssl off > > Here is /etc/openldap/slapd.conf > > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > include /usr/local/etc/openldap/schema/nis.schema > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > modulepath /usr/local/libexec/openldap > moduleload back_bdb > access to attrs=userPassword > by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write > by anonymous auth > by self write > by * none > access to * > by self write > by users read > database bdb > suffix "dc=chocolate,dc=lan" > rootdn "cn=Manager,dc=chocolate,dc=lan" > rootpw {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm > directory /var/db/openldap-data > index objectClass eq > index uid eq > password-hash {SSHA} > > Here is the /etc/openldap/ldap.conf from both the client and server > > BASE dc=chocolate,dc=lan > URI ldap://ldap.srv.chocolate.lan > > Any help with this would be greatly appreciated > > William > > I haven't set this up on gentoo, only on debian-server with ubuntu-clients... Does NSS work already? Do you see the LDAP users/group after the passwd-users when you run $ getent passwd $ getent group Assuming you have configured /etc/nsswitch.conf: passwd: compat ldap group: compat ldap shadow: compat ldap ("files ldap" is OK too.) As long as that does not work, it doesn't make sense to continue to PAM. Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see if the password for cn=Manager,dc=chocolate,dc=lan in there does have possibly problematic characters. I need to use nscd on the clients. BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for User/Samba/DNS/DHCP/Mail management with LDAP. It's really good. The most trickiest part of setting up LDAP-clients is always PAM :( Fortunately for debian/ubuntu there are good guides. If you find out how to do it with gentoo, that info would be appreciated (gentoo-wiki?). Good luck, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 |
Ldap authentication issues.
On Mon, May 3, 2010 at 09:41, Indexer <indexer@internode.on.net> wrote:
> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log > > May *4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 > What does you ssh file in /etc/pam.d look like? Ward |
Ldap authentication issues.
On 03/05/2010, at 9:16 PM, Daniel Troeder wrote:
> I haven't set this up on gentoo, only on debian-server with > ubuntu-clients... > > Does NSS work already? Do you see the LDAP users/group after the > passwd-users when you run > $ getent passwd > $ getent group > Both show the correct user and group as defined in the ldap attributes passwd william:*:10000:10000:William Brown,,,,:/home/william:/bin/bash and group login:*:20000:william > Assuming you have configured /etc/nsswitch.conf: > passwd: compat ldap > group: compat ldap > shadow: compat ldap > ("files ldap" is OK too.) > > As long as that does not work, it doesn't make sense to continue to PAM. > > Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see > if the password for cn=Manager,dc=chocolate,dc=lan in there does have > possibly problematic characters. The password is in there, and it does bind successfully (I accidentally posted the wrong output from slapd, I have been documenting my success / failures to try and piece this together) slapd starting conn=0 fd=10 ACCEPT from IP=127.0.0.1:39936 (IP=0.0.0.0:389) conn=0 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128 conn=0 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0 conn=0 op=0 RESULT tag=97 err=0 text= connection_input: conn=0 deferring operation: binding conn=0 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 fd=13 ACCEPT from IP=127.0.0.1:23394 (IP=0.0.0.0:389) conn=1 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128 conn=1 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0 conn=1 op=0 RESULT tag=97 err=0 text= connection_input: conn=1 deferring operation: binding conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " conn=1 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 fd=13 closed (connection lost) conn=2 fd=13 ACCEPT from IP=127.0.0.1:38351 (IP=0.0.0.0:389) conn=2 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128 conn=2 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0 conn=2 op=0 RESULT tag=97 err=0 text= connection_input: conn=2 deferring operation: binding conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) " conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= > > I need to use nscd on the clients. > > BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for > User/Samba/DNS/DHCP/Mail management with LDAP. It's really good. Ill take a look at it, thank you for the hint. > > The most trickiest part of setting up LDAP-clients is always PAM :( > Fortunately for debian/ubuntu there are good guides. If you find out how > to do it with gentoo, that info would be appreciated (gentoo-wiki?). I agree, and i most likely will do a write up if i get it to work happily > > Good luck, > Daniel > > -- > PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get > # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 > William |
Ldap authentication issues.
On 03/05/2010, at 9:41 PM, Ward Poelmans wrote:
> On Mon, May 3, 2010 at 09:41, Indexer <indexer@internode.on.net> wrote: >> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log >> >> May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 >> > > What does you ssh file in /etc/pam.d look like? # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so #account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass > > Ward > I was under the impression that SSH was able to use pam from the system module? I will try this out now uncommenting the ldap settings. |
Ldap authentication issues.
On 05/03/2010 02:37 PM, Indexer wrote:
> > On 03/05/2010, at 9:41 PM, Ward Poelmans wrote: > >> On Mon, May 3, 2010 at 09:41, Indexer <indexer@internode.on.net> wrote: >>> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log >>> >>> May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 >>> >> >> What does you ssh file in /etc/pam.d look like? > > # auth > auth sufficient pam_opie.so no_warn no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local > #auth sufficient pam_krb5.so no_warn try_first_pass > #auth sufficient pam_ssh.so no_warn try_first_pass > #auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass > auth required pam_unix.so no_warn try_first_pass > > # account > account required pam_nologin.so > #account required pam_krb5.so > account required pam_login_access.so > account required pam_unix.so > #account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user > > # session > #session optional pam_ssh.so > session required pam_permit.so > > # password > #password sufficient pam_krb5.so no_warn try_first_pass > password required pam_unix.so no_warn try_first_pass > >> >> Ward >> > > I was under the impression that SSH was able to use pam from the system module? I will try this out now uncommenting the ldap settings. > Can the user login from a console? And what about "su - william" from a non-root account? (From a root-account it should work without problems.) Daniel |
Ldap authentication issues.
I have solved this issue late last night. I took my inspiration from fedora, who has a really nice automatic tool for adding ldap servers, and i looked at their changes. The issue was that pam_unix was set as required, not sufficient / optional. I also found that in fedora they do includes in their pam, and my setup did not have it so you need to modify the correct module for the system, you are using. Find below my corrected pam config, and i will do a write up of this process.
I have also found that when the user logs in it takes a long tine for commands to execute, and in this time it sends alot of requests to the slapd server, using anonymous binds. Any idea how i make anonymous binds return attrs such as groupUid etc? On 05/05/2010, at 7:00 AM, Daniel Troeder wrote: >> >> # auth >> auth sufficient pam_opie.so no_warn no_fake_prompts >> auth requisite pam_opieaccess.so no_warn allow_local >> #auth sufficient pam_krb5.so no_warn try_first_pass >> #auth sufficient pam_ssh.so no_warn try_first_pass >> auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass >> auth sufficient pam_unix.so no_warn try_first_pass >> >> # account >> account required pam_nologin.so >> #account required pam_krb5.so >> account required pam_login_access.so >> account sufficient pam_unix.so >> account sufficient /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user >> >> # session >> #session optional pam_ssh.so >> session required pam_permit.so session optional /usr/local/lib/pam_ldap.so >> >> # password >> #password sufficient pam_krb5.so no_warn try_first_pass >> password sufficient pam_unix.so no_warn try_first_pass password sufficient /usr/lib/local/pam_ldap.so > |
Ldap authentication issues.
On 05/05/2010 02:02 AM, Indexer wrote:
> I have solved this issue late last night. I took my inspiration from > fedora, who has a really nice automatic tool for adding ldap servers, > and i looked at their changes. The issue was that pam_unix was set as > required, not sufficient / optional. I also found that in fedora they > do includes in their pam, and my setup did not have it so you need to > modify the correct module for the system, you are using. Find below > my corrected pam config, and i will do a write up of this process. nice :) > I have also found that when the user logs in it takes a long tine for > commands to execute, and in this time it sends alot of requests to > the slapd server, using anonymous binds. Any idea how i make > anonymous binds return attrs such as groupUid etc? You have to allow that using ACLs in slapd.conf. In your first post they were: access to attrs=userPassword by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write by anonymous auth by self write by * none access to * by self write by users read I think you should have at least this: access to dn.base="" by * read So that anonymous can at least get to the root of your LDAP tree. This is important to some clients (especially SASL). And then I'd also open up read access to anonymous for everything else, or at least Users+Groups, as that is also the case with /etc/passwd. There is really no point in being more secretive than file permissions on /etc/passwd. access to * by * read or, more secure I think: access to ou=Group,dc=chocolate,dc=lan by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write by * read access to ou=Admin,dc=chocolate,dc=lan by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write by * read access to ou=Users,dc=chocolate,dc=lan by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write by * read I'm not 100% sure with the "by dn.subtree=..." though I think that should work ($ man slapd.access). Bye, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 |
| All times are GMT. The time now is 10:45 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.