[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [pamldap] pam_ldap v99, OpenLDAP v2.0.9 and SASL/Kerberos
Turbo Fredriksson wrote:
>
> [Sorry about the cross post, but I'm uncertain that this is a PAM/LDAP
> issue alone. If answering me on the pamldap list, please Cc me, because
> I am not yet subscribed to this list. I'm still waiting for approval.]
>
> I'm trying to get my test installation of OpenLDAP2 and PAM/LDAP
> (in a CHROOT) to get the passwords from a KerberosV KDC but all
> the rest of the information (homedirectory, [ug]idnumber etc)
> from my LDAP server. Outside the chroot I have a functioning
> OpenLDAP1/KerberosV installation working.
There is no need for pam_ldap then. Just use pam_krb5 and nss_ldap.
> These are the sofware I'm running outside the chroot:
> Debian GNU/Linux Potato (stable)
> OpenLDAP1 1.2.11
> KerberosV KDC 1.2.2
> libpam-ldap 43
> libnss-ldap 122
>
> -> As said, this works like a charm. Kinit, ksu, ktelnet etc
> works. I can use libpam-ldap and libpam-krb5 to
> authenticate with the password either from kerberos or the
> LDAP database on all services (ssh/login/ftp/wdm etc). The
> password is stored with {crypt} in the LDAP db.
>
> In the chroot, this is the software I'm running:
> Debian GNU/Linux Sid (unstable)
> OpenLDAP2 2.0.9 (with SASL support etc)
> Cyrus SASL 1.5.24
> libpam-ldap 99
> libnss-ldap 140
>
> Outside the chroot, I have the following line in my /etc/inittab file
> (/mnt/rescue is where my chroot is located):
> ----- s n i p -----
> 10:23:respawn:sh -c 'cd /mnt/rescue ; chroot . /sbin/getty 38400 tty10'
> ----- s n i p -----
>
> [The following are information from the chroot]
>
> The LDAP server is running on port 3389 and ldaps:///, and is compiled
> with the following options (amongst others):
>
> --with-tls
> --enable-kpasswd
> --enable-spasswd
>
> I have the following attribute/value in the LDAP database:
>
> dn: uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
> userPassword:: e1NBU0x9dHVyYm8=
>
> That 'e1NBU0x9dHVyYm8=' is supposed to be '{SASL}turbo'... Why is it
> base64 (I assume) encoded?
>
> The rest of the database are a dump from the function server outside
> the chroot (only the 'userPassword' attribute have been changed).
>
> This is the pam config file for login (same as the one outside the chroot):
> ----- s n i p -----
> auth required pam_nologin.so
> auth sufficient pam_krb5.so
> auth sufficient pam_ldap.so
> auth required pam_unix.so try_first_pass shadow
> auth required pam_env.so
> auth required pam_issue.so issue=/etc/issue.net
>
> account sufficient pam_krb5.so
> account sufficient pam_ldap.so
> account required pam_unix.so try_first_pass shadow
>
> password sufficient pam_krb5.so
> password required pam_ldap.so md5
> session required pam_unix.so
> session optional pam_lastlog.so
> session optional pam_motd.so
> session optional pam_mail.so standard noenv
> session required pam_mkhomedir.so skel=/etc/skel/
> ----- s n i p -----
>
> This is the configuration from /etc/pam_ldap.conf:
> ----- s n i p -----
> host 127.0.0.1
> base dc=com
> port 3389
> ----- s n i p -----
>
> The same information is also in /etc/libnss-ldap.conf and
> the OpenLDAP config files (/etc/ldap/ldap.conf).
>
> The /etc/nssswitch file:
> ----- s n i p -----
> passwd: files ldap
> group: files ldap
> shadow: files ldap
> hosts: files dns ldap
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
> ----- s n i p -----
>
> When trying to login as 'turbo', I get this:
> ----- s n i p -----
> CHROOT:/etc/init.d# /bin/login
> login: turbo
> Password for turbo@BAYOUR.COM:
> LDAP Password:
> Login incorrect
> ----- s n i p -----
>
> and in the syslog:
> ----- s n i p -----
> Mar 14 17:45:37 {HOSTNAME} tcplogd: port 3389 connection attempt from {FQDN} [{IPADDRES}]
> Mar 14 17:45:44 {HOSTNAME} tcplogd: port 3389 connection attempt from localhost [127.0.0.1]
> ----- s n i p -----
Is that all the logging you get?
Add "debug = true" to the PAM section in /etc/krb5.conf to make it more
verbose. See the KDC logs if you get a tgt.
Add some pam_warn calls to see if pam actually is called.
Do you see an bind attepmt in the slapd.log?
Any tcpwrappers configured?
> Entering either the LDAP password OR the KDC password at the 'LDAP Password' prompt
> does no difference... I have also tried using 'userPassword: turbo@MY.REALM' in
> the database. No change.
>
> Doing the same thing outside the chroot (as root) works fine. It will accept my
> Kerberos password...
>
> To verify that I can't find any obvious problems with the chroot configuration,
> this is what i did:
> ----- s n i p -----
> CHROOT:/etc/init.d# kinit turbo@MY.REALM
> Password for turbo@MY.REALM:
> [=> klist shows that I have a krbtgt ticket]
> CHROOT:/etc/init.d# ldapsearch -U turbo -H ldaps:/// uid=turbo
> [=> will show me the full object of 'turbo', verified by double
> checking by binding with the BindDN as usual]
You're searching on port 636 (ldaps) here. Try the port you've
configured in pam|nss_ldap.conf (without SSL and SASL, just simple bind
as pam_ldap does).
--
Norbert Klasen
DFN Directory Services tel: +49 7071 29 70335
ZDV, Universität Tübingen fax: +49 7071 29 5912
Wächterstr. 76, 72074 Tübingen http://www.directory.dfn.de
Germany norbert.klasen@zdv.uni-tuebingen.de