[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
pam_ldap v99, OpenLDAP v2.0.9 and SASL/Kerberos
[Sorry about the cross post, but I'm uncertain that this is a PAM/LDAP
issue alone. If answering me on the pamldap list, please Cc me, because
I am not yet subscribed to this list. I'm still waiting for approval.]
I'm trying to get my test installation of OpenLDAP2 and PAM/LDAP
(in a CHROOT) to get the passwords from a KerberosV KDC but all
the rest of the information (homedirectory, [ug]idnumber etc)
from my LDAP server. Outside the chroot I have a functioning
OpenLDAP1/KerberosV installation working.
These are the sofware I'm running outside the chroot:
Debian GNU/Linux Potato (stable)
OpenLDAP1 1.2.11
KerberosV KDC 1.2.2
libpam-ldap 43
libnss-ldap 122
-> As said, this works like a charm. Kinit, ksu, ktelnet etc
works. I can use libpam-ldap and libpam-krb5 to
authenticate with the password either from kerberos or the
LDAP database on all services (ssh/login/ftp/wdm etc). The
password is stored with {crypt} in the LDAP db.
In the chroot, this is the software I'm running:
Debian GNU/Linux Sid (unstable)
OpenLDAP2 2.0.9 (with SASL support etc)
Cyrus SASL 1.5.24
libpam-ldap 99
libnss-ldap 140
Outside the chroot, I have the following line in my /etc/inittab file
(/mnt/rescue is where my chroot is located):
----- s n i p -----
10:23:respawn:sh -c 'cd /mnt/rescue ; chroot . /sbin/getty 38400 tty10'
----- s n i p -----
[The following are information from the chroot]
The LDAP server is running on port 3389 and ldaps:///, and is compiled
with the following options (amongst others):
--with-tls
--enable-kpasswd
--enable-spasswd
I have the following attribute/value in the LDAP database:
dn: uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
userPassword:: e1NBU0x9dHVyYm8=
That 'e1NBU0x9dHVyYm8=' is supposed to be '{SASL}turbo'... Why is it
base64 (I assume) encoded?
The rest of the database are a dump from the function server outside
the chroot (only the 'userPassword' attribute have been changed).
This is the pam config file for login (same as the one outside the chroot):
----- s n i p -----
auth required pam_nologin.so
auth sufficient pam_krb5.so
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass shadow
auth required pam_env.so
auth required pam_issue.so issue=/etc/issue.net
account sufficient pam_krb5.so
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass shadow
password sufficient pam_krb5.so
password required pam_ldap.so md5
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
session required pam_mkhomedir.so skel=/etc/skel/
----- s n i p -----
This is the configuration from /etc/pam_ldap.conf:
----- s n i p -----
host 127.0.0.1
base dc=com
port 3389
----- s n i p -----
The same information is also in /etc/libnss-ldap.conf and
the OpenLDAP config files (/etc/ldap/ldap.conf).
The /etc/nssswitch file:
----- s n i p -----
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns ldap
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
----- s n i p -----
When trying to login as 'turbo', I get this:
----- s n i p -----
CHROOT:/etc/init.d# /bin/login
login: turbo
Password for turbo@BAYOUR.COM:
LDAP Password:
Login incorrect
----- s n i p -----
and in the syslog:
----- s n i p -----
Mar 14 17:45:37 {HOSTNAME} tcplogd: port 3389 connection attempt from {FQDN} [{IPADDRES}]
Mar 14 17:45:44 {HOSTNAME} tcplogd: port 3389 connection attempt from localhost [127.0.0.1]
----- s n i p -----
Entering either the LDAP password OR the KDC password at the 'LDAP Password' prompt
does no difference... I have also tried using 'userPassword: turbo@MY.REALM' in
the database. No change.
Doing the same thing outside the chroot (as root) works fine. It will accept my
Kerberos password...
To verify that I can't find any obvious problems with the chroot configuration,
this is what i did:
----- s n i p -----
CHROOT:/etc/init.d# kinit turbo@MY.REALM
Password for turbo@MY.REALM:
[=> klist shows that I have a krbtgt ticket]
CHROOT:/etc/init.d# ldapsearch -U turbo -H ldaps:/// uid=turbo
[=> will show me the full object of 'turbo', verified by double
checking by binding with the BindDN as usual]
----- s n i p -----
--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden
terrorist assassination NORAD KGB North Korea domestic disruption
toluene killed Honduras Khaddafi FBI Saddam Hussein 767 Delta Force
tritium
[See http://www.aclu.org/echelonwatch/index.html for more about this]