ldap client authentication
 

Folks,

I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress.

Here's the rundown of how things are configured (fairly straight forward):



- OpenDS server has the following entry (gathered directly from ldapsearch output), below. Note that clearly the LDAP server is properly configured if it's responding to an ldapsearch on the client with no problems.




ldap ~ # ldapsearch -H ldap://auth.whatever.com "objectclass=posixAccount"
dn: cn=tb,ou=it,dc=whatever,dc=com
uid: tb
initials: tb
objectClass: person


objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
givenName: Thomas
cn: tb
sn: Bellview
telephoneNumber: 333.555.3333
homeDirectory: /home/tb


uidNumber: 10001
mail: tb@whatever.com
gidNumber: 10001


- /etc/ldap.conf
base ou=it,dc=whatever,dc=com
uri ldaps://auth.whatever.com


ldap_version 3
tls_reqcert allow
pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
nss_base_passwd ou=it,dc=whatever,dc=com
nss_base_shadow ou=it,dc=whatever,dc=com


nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats, hplip,irc,kernoops,libuuid,list,lp,mail,man,messag ebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,www-data


timelimit 5
bind_timelimit 5


- Likewise, /etc/openldap/ldap.conf
BASE** ou=it,dc=whatever,dc=com
URI**** ldaps://auth.whatever.com
TLS_REQCERT allow
#SIZELIMIT***** 12


#TIMELIMIT***** 15
#DEREF********* never


Simple problem: authentication fails. On the CLIENT I see the following in the log files:

==> auth.log <==
Nov* 3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com




On the SERVER I see the following:

[03/Nov/2010:06:27:05 -0400] CONNECT conn=314 from=10.1.1.166:44879 to=10.1.1.115:389 protocol=LDAP


[03/Nov/2010:06:27:05 -0400] BIND REQ conn=314 op=0 msgID=1 type=SIMPLE dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=314 op=0 msgID=1 result=0 authDN="" etime=0
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=1 msgID=2 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectClass=posixAccount)(uid=tb))" attrs="uid,userPassword,uidNumber,gidNumber,cn,hom eDirectory,loginShell,gecos,description,objectClas s"


[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=1 msgID=2 result=0 nentries=1 etime=1
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=2 msgID=3 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectClass=posixAccount)(uid=tb))" attrs="uid,userPassword,uidNumber,gidNumber,cn,hom eDirectory,loginShell,gecos,description,objectClas s"


[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=2 msgID=3 result=0 nentries=1 etime=1
[03/Nov/2010:06:27:05 -0400] CONNECT conn=315 from=10.1.1.166:44879 to=10.1.1.115:389 protocol=LDAP


[03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=0 msgID=1 type=SIMPLE dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=0 msgID=1 result=0 authDN="" etime=0
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=315 op=1 msgID=2 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectclass=posixAccount)(uid=tb))" attrs="ALL"


[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=315 op=1 msgID=2 result=0 nentries=1 etime=0
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=2 msgID=3 type=SIMPLE dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=2 msgID=3 result=0 authDN="" etime=0


[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=315 reason="Client Disconnect"
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=314 reason="Client Disconnect"
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=309 reason="Client Disconnect"




Looks fine, right? Well not really. If I run an ldapsearch *exactly* as it appears in the SERVER's log, it returns the user.

ldap ~ # ldapsearch -H ldap://auth.whatever.com -b "ou=it,dc=whatever,dc=com" "(&(objectclass=posixAccount)(uid=tb))"


# extended LDIF
#
# LDAPv3
# base <ou=it,dc=whatever,dc=com> with scope subtree
# filter: (&(objectclass=posixAccount)(uid=tb))
# requesting: ALL
#

# tb, it, whatever.com


dn: cn=tb,ou=it,dc=whatever,dc=com
uid: tb
initials: tb
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
givenName: Thomas


cn: tb
sn: Bellview
telephoneNumber: 333.555.3333
homeDirectory: /home/tb
uidNumber: 10001
mail: tb@whatever.com
gidNumber: 10001

# search result
search: 2


result: 0 Success

# numResponses: 2
# numEntries: 1


This has me pulling my hairs out. Clearly the manual ldapsearch works. The only thing I can think of is the "scope=wholeSubtree" or the "attrs=ALL" breaking the query; clearly the applied filters work without any issues.



Thoughts / ideas would be greatly appreciated.

-james

ldap client authentication
 

On 3/11/2010, at 4:25pm, James wrote:...
I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress.

Here's the rundown of how things are configured (fairly straight forward):
...==> auth.log <==
Nov* 3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com

You've shown us all about your LDAP configuration, but nothing about your PAM configuration, or whether sshd or IMAP are configured to use PAM.
Stroller.

ldap client authentication
 

Straight from the Gentoo + LDAP page.

# pam ldap stuff
auth*********** sufficient***** pam_ldap.so use_first_pass
account******** sufficient***** pam_ldap.so
password******* sufficient***** pam_ldap.so use_authtok use_first_pass


session******** optional******* pam_ldap.so

-james

On Wed, Nov 3, 2010 at 15:13, Stroller <stroller@stellar.eclipse.co.uk> wrote:



On 3/11/2010, at 4:25pm, James wrote:

...
I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress.



Here's the rundown of how things are configured (fairly straight forward):
...==> auth.log <==
Nov* 3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com



You've shown us all about your LDAP configuration, but nothing about your PAM configuration, or whether sshd or IMAP are configured to use PAM.


Stroller.

ldap client authentication
 

Bump -- any ideas?

In a tough spot right now trying to wrap this LDAP project up and I'm stuck. :(

-james

On Wed, Nov 3, 2010 at 15:26, James <jtp@nc.rr.com> wrote:
> Straight from the Gentoo + LDAP page.
>
> # pam ldap stuff
> auth*********** sufficient***** pam_ldap.so use_first_pass
> account******** sufficient***** pam_ldap.so
> password******* sufficient***** pam_ldap.so use_authtok use_first_pass
> session******** optional******* pam_ldap.so
>
> -james
>
> On Wed, Nov 3, 2010 at 15:13, Stroller <stroller@stellar.eclipse.co.uk>
> wrote:
>>
>> On 3/11/2010, at 4:25pm, James wrote:
>>
>> ...
>> I'm attempting to set up LDAP authentication against my OpenDS server on a
>> Gentoo box. I've been struggling with this for several days now with no
>> progress.
>>
>> Here's the rundown of how things are configured (fairly straight forward):
>> ...
>>
>> ==> auth.log <==
>> Nov* 3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM:
>> Authentication failure for tb from blah.whatever.com
>>
>> You've shown us all about your LDAP configuration, but nothing about your
>> PAM configuration, or whether sshd or IMAP are configured to use PAM.
>> Stroller.
>
>

ldap client authentication
 

On Fri, Nov 5, 2010 at 2:51 AM, James <jtp@nc.rr.com> wrote:

Bump -- any ideas?



In a tough spot right now trying to wrap this LDAP project up and I'm stuck. :(



-james



You seem to be using ldap sometimes and ldaps other times in your configs. Suggest you try getting everything working with ldap first, then convert everything to ldaps (to get SSL working) once you have the application layer sorted.

ldap client authentication
 

LDAP and LDAPS work fine -- as I indicated, the ldapsearch queries
work without any issues. Thus the issue is, more or less, related
directly to PAM and LDAP together.

At some point during troubleshooting I switched to LDAP simply so that
I could sniff the packets going across the wire and see what was going
on.

This is purely a pam_ldap configuration problem as far as I can tell.

Any thoughts on how to go about troubleshooting this would be greatly
appreciated.

-james

On Thu, Nov 4, 2010 at 17:58, Adam Carter <adamcarter3@gmail.com> wrote:
> You seem to be using ldap sometimes and ldaps other times in your configs.
> Suggest you try getting everything working with ldap first, then convert
> everything to ldaps (to get SSL working) once you have the application layer
> sorted.
>

ldap client authentication
 

Things just got more interesting.

I just copied my /etc/ldap.conf file over from my Gentoo box to an
Ubuntu box -- it works without a single hitch.

I'm about to rip my hair out here...any ideas on where I can start
troubleshooting this?

- openssh versions are very similar
- newer nss_ldap on gentoo
- newer pam_ldap on gentoo

Thoughts would be greatly appreciated.

-james

On Thu, Nov 4, 2010 at 23:48, James <jtp@nc.rr.com> wrote:
> LDAP and LDAPS work fine -- as I indicated, the ldapsearch queries
> work without any issues. Thus the issue is, more or less, related
> directly to PAM and LDAP together.
>
> At some point during troubleshooting I switched to LDAP simply so that
> I could sniff the packets going across the wire and see what was going
> on.
>
> This is purely a pam_ldap configuration problem as far as I can tell.
>
> Any thoughts on how to go about troubleshooting this would be greatly
> appreciated.
>
> -james
>
> On Thu, Nov 4, 2010 at 17:58, Adam Carter <adamcarter3@gmail.com> wrote:
>> You seem to be using ldap sometimes and ldaps other times in your configs.
>> Suggest you try getting everything working with ldap first, then convert
>> everything to ldaps (to get SSL working) once you have the application layer
>> sorted.
>>
>

ldap client authentication
 

On Fri, Nov 5, 2010 at 05:44, James <jtp@nc.rr.com> wrote:
> Things just got more interesting.
>
> I just copied my /etc/ldap.conf file over from my Gentoo box to an
> Ubuntu box -- it works without a single hitch.
>
> I'm about to rip my hair out here...any ideas on where I can start
> troubleshooting this?

Put logging of PAM to the max and start looking in your pam logs. Your
ldap seems fine.

Ward

ldap client authentication
 

It seems that the LDAP is failing to work, as well, in CentOS 5 --
same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu.

What's the best way to star troubleshooting this from a PAM perspective?

I have a debug line set at the bottom of the ldap.conf file, but that
doesn't seem to be giving me enough information. Also, I've set
'debug' at the end of every line in my /etc/pam.d/system-auth file, to
no avail. Nothing is showing up in /var/log/debug -- PAM indicates
that the 'debug' keyword sends messages to syslog for processing.

Thoughts / ideas would be greatly appreciated.

Thanks!
-james

On Fri, Nov 5, 2010 at 06:22, Ward Poelmans <wpoely86@gmail.com> wrote:
> On Fri, Nov 5, 2010 at 05:44, James <jtp@nc.rr.com> wrote:
>> Things just got more interesting.
>>
>> I just copied my /etc/ldap.conf file over from my Gentoo box to an
>> Ubuntu box -- it works without a single hitch.
>>
>> I'm about to rip my hair out here...any ideas on where I can start
>> troubleshooting this?
>
> Put logging of PAM to the max and start looking in your pam logs. Your
> ldap seems fine.
>
> Ward
>
>

ldap client authentication
 

On Fri, Nov 5, 2010 at 17:41, James <jtp@nc.rr.com> wrote:
> It seems that the LDAP is failing to work, as well, in CentOS 5 --
> same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu.
>
> What's the best way to star troubleshooting this from a PAM perspective?
>
> I have a debug line set at the bottom of the ldap.conf file, but that
> doesn't seem to be giving me enough information. Also, I've set
> 'debug' at the end of every line in my /etc/pam.d/system-auth file, to
> no avail. Nothing is showing up in /var/log/debug -- PAM indicates
> that the 'debug' keyword sends messages to syslog for processing.

adding the debug keyword to the pam module doesn't do anything but in ldap.conf:
logdir <directory>
Specifies the directory used for logging by the LDAP client
library. This feature is not supported by all client libraries.
debug <level>
Specifies the debug level used for logging by the LDAP client
library. This feature is not supported by all client libraries, and
does not apply to the nss_ldap and pam_ldap modules themselves
(debugging, if any, is configured separately and usually at compile
time).

Ward