[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
What am I doing wrong...
Hi,
I'm hoping someone might be able to tell me what is going wrong with my ldap
setup. I am trying to use ldap for system authentication instead of the
usual /etc/passwd. Currently I am testing through ssh.
I have successfully installed openldap 2.0.12, put a test user in, changed
the nss_switch, and pam files to get authentication queries going to the ldap
server, but authentications always fail. I have enabled debugging and seen
that authentications are asked of the ldap server. I can also use the
command line to query the server and get an answer back about the user I have
there. I have seen from other posts that the error I see in the debugging,
"ldap_read: want=1 error=Resource temporarily unavailable", is supposed to be
not important.
I really don't know what to do any more with this one. Does anyone have any
idea what I should do to get authentication tusing an ldap server working
properly?
Thanks
Ian
PS: Sorry for the size of the mail, but I think to get the problem solved,
the information here will be needed.
- - - -
My slapd.conf file:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nadf.schema
include /etc/openldap/schema/openldap.schema
schemacheck on
timelimit 30
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
database ldbm
directory /var/lib/ldap
suffix "dc=shnet,dc=at"
rootdn "uid=Manager,dc=shnet,dc=at"
rootpw <You didn't think I would give you that, did you?>
access to attr=userPassword,ldapPassword,clearTextPassword
by * read
access to *
by dn="uid=Manager,dc=shnet,dc=at" write
by * read
- - - -
My ldif file:
dn: uid=ian,dc=shnet,dc=at
changetype: modify
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: posixAccount
uid: ian
uidNumber: 500
gidNumber: 100
homeDirectory: /home/ian
userPassword: apassword
loginShell: /bin/bash
description: A user
cn: A User
sn: User
mail: ian@localhost
telephonenumber: +1 234 5678
facsimiletelephonenumber: +1 234 5679
postaladdress: An Address
roomnumber: 2
- - - -
Command line used to add the user:
# ldapadd -v -x -D "uid=Manager,dc=shnet,dc=at" -w root -f
ldif.person_information_a_user
ldap_initialize( <DEFAULT> )
add objectclass:
top
person
inetOrgPerson
posixAccount
add uid:
ian
add uidNumber:
500
add gidNumber:
100
add homeDirectory:
/home/ian
add userPassword:
apassword
add loginShell:
/bin/bash
add description:
A user
add cn:
A User
add sn:
User
add mail:
ian@localhost
add telephonenumber:
+1 234 5678
add facsimiletelephonenumber:
+1 234 5679
add postaladdress:
An Address
add roomnumber:
2
adding new entry "uid=ian,dc=shnet,dc=at"
modify complete
- - - -
Output of command line query on the ldap server:
# ldapsearch -x -b 'dc=shnet,dc=at' '(&(objectClass=posixAccount)(uid=ian))'
version: 2
#
# filter: (&(objectClass=posixAccount)(uid=ian))
# requesting: ALL
#
# ian, shnet, at
dn: uid=ian, dc=shnet,dc=at
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
uid: ian
uidNumber: 500
gidNumber: 100
homeDirectory: /home/ian
userPassword:: QVBhc3N3b3Jk
loginShell: /bin/bash
description: A user
cn: Ian Ballantyne
sn: Ballantyne
mail: ian@onlineloop.com
telephoneNumber: +43 676 311 9190
facsimileTelephoneNumber: +1 805 697 0518
postalAddress: Maerzstrasse 52/8, 1150 Wien
roomNumber: 2
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
- - - -
My /etc/nssswitch.conf file:
passwd: ldap files
shadow: ldap files nis
group: ldap files
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files
aliases: files
- - - -
My /etc/pam.d/sshd file:
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_nologin.so
auth required pam_unix.so use_first_pass # set_secrpc
account required pam_unix.so
password required pam_pwcheck.so
password sufficient pam_ldap.so use_authtok
password required pam_unix.so use_first_pass use_authtok
session sufficient pam_ldap.so
session required pam_unix.so
session required pam_limits.so
session required pam_env.so
session optional pam_mail.so
- - - -
My /etc/pam.d/login file:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
- - - -
My /etc/pam.d/passwd file
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix.so nullok use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix.so
password sufficient /lib/security/pam_ldap.so use_first_pass
use_authtok
password required /lib/security/pam_pwcheck.so nullok
password required /lib/security/pam_unix.so nullok use_first_pass
use_aut
session required /lib/security/pam_unix.so
- - - -
And finally, debugging output when I try to log on to the system (level is
490):
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 05 .
ldap_read: want=5, got=5
0000: 02 01 03 42 00 ...B.
ldap_read: want=1, got=0
conn=18 op=2 UNBIND
daemon: removing 9
conn=-1 fd=9 closed
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 9
daemon: conn=20 fd=9 connection from IP=195.26.207.165:3142 (IP=:: 34049)
accepted.
daemon: added 9r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 0c .
ldap_read: want=12, got=12
0000: 02 01 01 60 07 02 01 02 04 00 80 00 ...`........
ldap_read: want=1 error=Resource temporarily unavailable
conn=20 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 9
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
conn=20 op=0 RESULT tag=97 err=0 text=
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 51 Q
ldap_read: want=81, got=81
0000: 02 01 02 63 4c 04 0e 64 63 3d 73 68 6e 65 74 2c ...cL..dc=shnet,
0010: 64 65 3d 61 74 0a 01 02 0a 01 00 02 01 01 02 01 de=at...........
0020: 00 01 01 00 a0 29 a3 1b 04 0b 6f 62 6a 65 63 74 .....)....object
0030: 63 6c 61 73 73 04 0c 70 6f 73 69 78 41 63 63 6f class..posixAcco
0040: 75 6e 74 a3 0a 04 03 75 69 64 04 03 69 61 6e 30 unt....uid..ian0
0050: 00 .
ldap_read: want=1 error=Resource temporarily unavailable
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
end get_filter 0
begin get_filter
EQUALITY
end get_filter 0
end get_filter_list
end get_filter 0
conn=20 op=1 SRCH base="dc=shnet,de=at" scope=2
filter="(&(objectClass=posixAccount)(uid=ian))"
ber_flush: 14 bytes to sd 9
0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e... ....
ldap_write: want=14, written=14
0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e... ....
daemon: select: listen=6 active_threads=1 tvp=NULL
conn=20 op=1 RESULT tag=101 err=32 text=
daemon: activity on 1 descriptors
daemon: new connection on 13
daemon: conn=21 fd=13 connection from IP=195.26.207.165:3143 (IP=:: 34049)
accepted.
daemon: added 13r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
ldap_read: want=1, got=1
0000: 80 .
ldap_read: want=1, got=1
0000: 7a z
ldap_read: want=122, got=122
0000: 01 03 01 00 51 00 00 00 20 00 00 16 00 00 13 00 ....Q... .......
0010: 00 0a 07 00 c0 00 00 66 00 00 05 00 00 04 03 00 .......f........
0020: 80 01 00 80 08 00 80 00 00 65 00 00 64 00 00 63 .........e..d..c
0030: 00 00 62 00 00 61 00 00 60 00 00 15 00 00 12 00 ..b..a..`.......
0040: 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 ....@...........
0050: 06 00 00 03 04 00 80 02 00 80 fd e0 04 39 8a 84 .............9..
0060: 11 d2 76 d3 06 3d fb 37 7f 28 36 72 31 0f ca 99 ..v..=.7.(6r1...
0070: 1c 27 f6 bf 47 95 60 86 0b fa .'..G.`...
daemon: removing 13
conn=-1 fd=13 closed
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
-------------------------------------------------------