I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log

May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1

I can succesfully search the ldap with this user binding to the ldap

ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=chocolate,dc=lan> (default) with scope subtree
# filter: (uid=william)
# requesting: ALL
#

# william, Admin, chocolate.lan
dn: uid=william,ou=Admin,dc=chocolate,dc=lan
uid: william
cn: william
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/william
userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVT E=
gecos: William Brown,,,,
description: William Brown
shadowLastChange: 1
shadowMax: 0
shadowExpire: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Slapd when trying to authenticate shows this.

/usr/local/libexec/slapd -4 -d 256

slapd starting
conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="" method=128
conn=0 op=0 RESULT tag=97 err=0 text=
connection_input: conn=0 deferring operation: binding
conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=0 fd=10 closed (connection lost)
conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="" method=128
conn=1 op=0 RESULT tag=97 err=0 text=
connection_input: conn=1 deferring operation: binding
conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389)
conn=2 op=0 BIND dn="" method=128
conn=2 op=0 RESULT tag=97 err=0 text=
connection_input: conn=2 deferring operation: binding
conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=12 closed (connection lost)
conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389)
conn=3 op=0 BIND dn="" method=128
conn=3 op=0 RESULT tag=97 err=0 text=
connection_input: conn=3 deferring operation: binding
conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=3 fd=12 closed (connection lost)
conn=1 fd=10 closed (connection lost)


Here is my /etc/ldap.conf
base dc=chocolate,dc=lan
suffix dc=chocolate,dc=lan
uri ldap://ldap.srv.chocolate.lan
ldap_version 3
rootbinddn cn=Manager,dc=chocolate,dc=lan
scope one
timelimit 3
bind_timelimit 3
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_check_host_attr no
pam_member_attribute memberuid
pam_password exop
nss_reconnect_tries 4 # number of times to double the sleep time
nss_reconnect_sleeptime 1 # initial sleep value
nss_reconnect_maxsleeptime 16 # max sleep value to cap at
nss_reconnect_maxconntries 2 # how many tries before sleeping
nss_base_passwd ou=Admin,dc=chocolate,dc=lan?one
nss_base_passwd ou=People,dc=chocolate,dc=lan?one
nss_base_shadow ou=Admin,dc=chocolate,dc=lan?one
nss_base_shadow ou=People,dc=chocolate,dc=lan?one
nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?one
nss_base_group ou=Marvin,ou=Group,dc=chocolate,dc=lan?one
ssl off

Here is /etc/openldap/slapd.conf

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_bdb
access to attrs=userPassword
by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
by anonymous auth
by self write
by * none
access to *
by self write
by users read
database bdb
suffix "dc=chocolate,dc=lan"
rootdn "cn=Manager,dc=chocolate,dc=lan"
rootpw {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm
directory /var/db/openldap-data
index objectClass eq
index uid eq
password-hash {SSHA}

Here is the /etc/openldap/ldap.conf from both the client and server

BASE dc=chocolate,dc=lan
URI ldap://ldap.srv.chocolate.lan

Any help with this would be greatly appreciated

William

On 05/03/2010 09:41 AM, Indexer wrote:
> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
>
> May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
>
> I can succesfully search the ldap with this user binding to the ldap
>
> ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=chocolate,dc=lan> (default) with scope subtree
> # filter: (uid=william)
> # requesting: ALL
> #
>
> # william, Admin, chocolate.lan
> dn: uid=william,ou=Admin,dc=chocolate,dc=lan
> uid: william
> cn: william
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: top
> loginShell: /bin/bash
> uidNumber: 10000
> gidNumber: 10000
> homeDirectory: /home/william
> userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVT E=
> gecos: William Brown,,,,
> description: William Brown
> shadowLastChange: 1
> shadowMax: 0
> shadowExpire: 0
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> Slapd when trying to authenticate shows this.
>
> /usr/local/libexec/slapd -4 -d 256
>
> slapd starting
> conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389)
> conn=0 op=0 BIND dn="" method=128
> conn=0 op=0 RESULT tag=97 err=0 text=
> connection_input: conn=0 deferring operation: binding
> conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
> conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
> conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
> conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
> conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
> conn=0 fd=10 closed (connection lost)
> conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389)
> conn=1 op=0 BIND dn="" method=128
> conn=1 op=0 RESULT tag=97 err=0 text=
> connection_input: conn=1 deferring operation: binding
> conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
> conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
> <= bdb_equality_candidates: (uid) not indexed
> conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389)
> conn=2 op=0 BIND dn="" method=128
> conn=2 op=0 RESULT tag=97 err=0 text=
> connection_input: conn=2 deferring operation: binding
> conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
> conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
> <= bdb_equality_candidates: (uid) not indexed
> conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
> conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
> <= bdb_equality_candidates: (uid) not indexed
> conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=2 fd=12 closed (connection lost)
> conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389)
> conn=3 op=0 BIND dn="" method=128
> conn=3 op=0 RESULT tag=97 err=0 text=
> connection_input: conn=3 deferring operation: binding
> conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
> conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
> <= bdb_equality_candidates: (uid) not indexed
> conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
> conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
> <= bdb_equality_candidates: (uid) not indexed
> conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=3 fd=12 closed (connection lost)
> conn=1 fd=10 closed (connection lost)
>
>
> Here is my /etc/ldap.conf
> base dc=chocolate,dc=lan
> suffix dc=chocolate,dc=lan
> uri ldap://ldap.srv.chocolate.lan
> ldap_version 3
> rootbinddn cn=Manager,dc=chocolate,dc=lan
> scope one
> timelimit 3
> bind_timelimit 3
> bind_policy soft
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_check_host_attr no
> pam_member_attribute memberuid
> pam_password exop
> nss_reconnect_tries 4 # number of times to double the sleep time
> nss_reconnect_sleeptime 1 # initial sleep value
> nss_reconnect_maxsleeptime 16 # max sleep value to cap at
> nss_reconnect_maxconntries 2 # how many tries before sleeping
> nss_base_passwd ou=Admin,dc=chocolate,dc=lan?one
> nss_base_passwd ou=People,dc=chocolate,dc=lan?one
> nss_base_shadow ou=Admin,dc=chocolate,dc=lan?one
> nss_base_shadow ou=People,dc=chocolate,dc=lan?one
> nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?one
> nss_base_group ou=Marvin,ou=Group,dc=chocolate,dc=lan?one
> ssl off
>
> Here is /etc/openldap/slapd.conf
>
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/nis.schema
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
> modulepath /usr/local/libexec/openldap
> moduleload back_bdb
> access to attrs=userPassword
> by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
> by anonymous auth
> by self write
> by * none
> access to *
> by self write
> by users read
> database bdb
> suffix "dc=chocolate,dc=lan"
> rootdn "cn=Manager,dc=chocolate,dc=lan"
> rootpw {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm
> directory /var/db/openldap-data
> index objectClass eq
> index uid eq
> password-hash {SSHA}
>
> Here is the /etc/openldap/ldap.conf from both the client and server
>
> BASE dc=chocolate,dc=lan
> URI ldap://ldap.srv.chocolate.lan
>
> Any help with this would be greatly appreciated
>
> William
>
>
I haven't set this up on gentoo, only on debian-server with
ubuntu-clients...

Does NSS work already? Do you see the LDAP users/group after the
passwd-users when you run
$ getent passwd
$ getent group

Assuming you have configured /etc/nsswitch.conf:
passwd: compat ldap
group: compat ldap
shadow: compat ldap
("files ldap" is OK too.)

As long as that does not work, it doesn't make sense to continue to PAM.

Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see
if the password for cn=Manager,dc=chocolate,dc=lan in there does have
possibly problematic characters.

I need to use nscd on the clients.

BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for
User/Samba/DNS/DHCP/Mail management with LDAP. It's really good.

The most trickiest part of setting up LDAP-clients is always PAM
Fortunately for debian/ubuntu there are good guides. If you find out how
to do it with gentoo, that info would be appreciated (gentoo-wiki?).

Good luck,
Daniel

--
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887

On Mon, May 3, 2010 at 09:41, Indexer <indexer@internode.on.net> wrote:
> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
>
> May *4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
>

What does you ssh file in /etc/pam.d look like?

Ward

On 03/05/2010, at 9:16 PM, Daniel Troeder wrote:

> I haven't set this up on gentoo, only on debian-server with
> ubuntu-clients...
>
> Does NSS work already? Do you see the LDAP users/group after the
> passwd-users when you run
> $ getent passwd
> $ getent group
>

Both show the correct user and group as defined in the ldap attributes

passwd
william:*:10000:10000:William Brown,,,,:/home/william:/bin/bash

and group
login:*:20000:william

> Assuming you have configured /etc/nsswitch.conf:
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
> ("files ldap" is OK too.)
>
> As long as that does not work, it doesn't make sense to continue to PAM.
>
> Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see
> if the password for cn=Manager,dc=chocolate,dc=lan in there does have
> possibly problematic characters.

The password is in there, and it does bind successfully (I accidentally posted the wrong output from slapd, I have been documenting my success / failures to try and piece this together)

slapd starting
conn=0 fd=10 ACCEPT from IP=127.0.0.1:39936 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128
conn=0 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
connection_input: conn=0 deferring operation: binding
conn=0 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 fd=13 ACCEPT from IP=127.0.0.1:23394 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128
conn=1 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0
conn=1 op=0 RESULT tag=97 err=0 text=
connection_input: conn=1 deferring operation: binding
conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
conn=1 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 fd=13 closed (connection lost)
conn=2 fd=13 ACCEPT from IP=127.0.0.1:38351 (IP=0.0.0.0:389)
conn=2 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128
conn=2 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0
conn=2 op=0 RESULT tag=97 err=0 text=
connection_input: conn=2 deferring operation: binding
conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william)) "
conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

>
> I need to use nscd on the clients.
>
> BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for
> User/Samba/DNS/DHCP/Mail management with LDAP. It's really good.

Ill take a look at it, thank you for the hint.

>
> The most trickiest part of setting up LDAP-clients is always PAM
> Fortunately for debian/ubuntu there are good guides. If you find out how
> to do it with gentoo, that info would be appreciated (gentoo-wiki?).

I agree, and i most likely will do a write up if i get it to work happily

>
> Good luck,
> Daniel
>
> --
> PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
> # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887
>

William

On 03/05/2010, at 9:41 PM, Ward Poelmans wrote:

> On Mon, May 3, 2010 at 09:41, Indexer <indexer@internode.on.net> wrote:
>> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
>>
>> May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
>>
>
> What does you ssh file in /etc/pam.d look like?

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
#auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass
auth required pam_unix.so no_warn try_first_pass

# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
#account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user

# session
#session optional pam_ssh.so
session required pam_permit.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass

>
> Ward
>

I was under the impression that SSH was able to use pam from the system module? I will try this out now uncommenting the ldap settings.

On 05/03/2010 02:37 PM, Indexer wrote:
>
> On 03/05/2010, at 9:41 PM, Ward Poelmans wrote:
>
>> On Mon, May 3, 2010 at 09:41, Indexer <indexer@internode.on.net> wrote:
>>> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
>>>
>>> May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
>>>
>>
>> What does you ssh file in /etc/pam.d look like?
>
> # auth
> auth sufficient pam_opie.so no_warn no_fake_prompts
> auth requisite pam_opieaccess.so no_warn allow_local
> #auth sufficient pam_krb5.so no_warn try_first_pass
> #auth sufficient pam_ssh.so no_warn try_first_pass
> #auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass
> auth required pam_unix.so no_warn try_first_pass
>
> # account
> account required pam_nologin.so
> #account required pam_krb5.so
> account required pam_login_access.so
> account required pam_unix.so
> #account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
>
> # session
> #session optional pam_ssh.so
> session required pam_permit.so
>
> # password
> #password sufficient pam_krb5.so no_warn try_first_pass
> password required pam_unix.so no_warn try_first_pass
>
>>
>> Ward
>>
>
> I was under the impression that SSH was able to use pam from the system module? I will try this out now uncommenting the ldap settings.
>
Can the user login from a console?
And what about "su - william" from a non-root account? (From a
root-account it should work without problems.)

Daniel

I have solved this issue late last night. I took my inspiration from fedora, who has a really nice automatic tool for adding ldap servers, and i looked at their changes. The issue was that pam_unix was set as required, not sufficient / optional. I also found that in fedora they do includes in their pam, and my setup did not have it so you need to modify the correct module for the system, you are using. Find below my corrected pam config, and i will do a write up of this process.

I have also found that when the user logs in it takes a long tine for commands to execute, and in this time it sends alot of requests to the slapd server, using anonymous binds. Any idea how i make anonymous binds return attrs such as groupUid etc?

On 05/05/2010, at 7:00 AM, Daniel Troeder wrote:

>>
>> # auth
>> auth sufficient pam_opie.so no_warn no_fake_prompts
>> auth requisite pam_opieaccess.so no_warn allow_local
>> #auth sufficient pam_krb5.so no_warn try_first_pass
>> #auth sufficient pam_ssh.so no_warn try_first_pass
>> auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass
>> auth sufficient pam_unix.so no_warn try_first_pass
>>
>> # account
>> account required pam_nologin.so
>> #account required pam_krb5.so
>> account required pam_login_access.so
>> account sufficient pam_unix.so
>> account sufficient /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
>>
>> # session
>> #session optional pam_ssh.so
>> session required pam_permit.so
session optional /usr/local/lib/pam_ldap.so

>>
>> # password
>> #password sufficient pam_krb5.so no_warn try_first_pass
>> password sufficient pam_unix.so no_warn try_first_pass
password sufficient /usr/lib/local/pam_ldap.so
>

On 05/05/2010 02:02 AM, Indexer wrote:
> I have solved this issue late last night. I took my inspiration from
> fedora, who has a really nice automatic tool for adding ldap servers,
> and i looked at their changes. The issue was that pam_unix was set as
> required, not sufficient / optional. I also found that in fedora they
> do includes in their pam, and my setup did not have it so you need to
> modify the correct module for the system, you are using. Find below
> my corrected pam config, and i will do a write up of this process.
nice

> I have also found that when the user logs in it takes a long tine for
> commands to execute, and in this time it sends alot of requests to
> the slapd server, using anonymous binds. Any idea how i make
> anonymous binds return attrs such as groupUid etc?
You have to allow that using ACLs in slapd.conf.

In your first post they were:

access to attrs=userPassword
by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
by anonymous auth
by self write
by * none
access to *
by self write
by users read

I think you should have at least this:

access to dn.base="" by * read

So that anonymous can at least get to the root of your LDAP tree. This
is important to some clients (especially SASL).

And then I'd also open up read access to anonymous for everything else,
or at least Users+Groups, as that is also the case with /etc/passwd.
There is really no point in being more secretive than file permissions
on /etc/passwd.


access to *
by * read

or, more secure I think:

access to ou=Group,dc=chocolate,dc=lan
by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write
by * read

access to ou=Admin,dc=chocolate,dc=lan
by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write
by * read

access to ou=Users,dc=chocolate,dc=lan
by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write
by * read

I'm not 100% sure with the "by dn.subtree=..." though I think that
should work ($ man slapd.access).


Bye,
Daniel

--
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887