[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [pamldap] pam_ldap v99, OpenLDAP v2.0.9 and SASL/Kerberos
Quoting Norbert Klasen <klasen@zdv.uni-tuebingen.de>:
> There is no need for pam_ldap then. Just use pam_krb5 and nss_ldap.
I will do that as soon as I move the chroot'ed OpenLDAP to outside the
chroot... Currently I don't want to disturb a working system...
When using pam_ldap instead of pam_krb5, I get 'Login incorrect', and
----- s n i p -----
Mar 15 19:09:54 papadoc PAM_unix[5494]: check pass; user unknown
Mar 15 19:09:54 papadoc PAM_unix[5494]: authentication failure; (uid=0) -> **unknown** for login service
Mar 15 19:09:58 papadoc login[5494]: FAILED LOGIN (1) on `pts/2' FOR `UNKNOWN', Authentication service cannot retrieve authentication info.
----- s n i p -----
and I don't get any ticket (or any request to the KDC). If I
replace pam_krb5 with pam_ldap I get a ticket, but are not let
in. /bin/login isn't telling me anything, just exist with error
code 1.
> > When trying to login as 'turbo', I get this:
> > ----- s n i p -----
> > CHROOT:/etc/init.d# /bin/login
> > login: turbo
> > Password for turbo@BAYOUR.COM:
> > LDAP Password:
> > Login incorrect
> > ----- s n i p -----
> >
> > and in the syslog:
> > ----- s n i p -----
> > Mar 14 17:45:37 {HOSTNAME} tcplogd: port 3389 connection attempt from {FQDN} [{IPADDRES}]
> > Mar 14 17:45:44 {HOSTNAME} tcplogd: port 3389 connection attempt from localhost [127.0.0.1]
> > ----- s n i p -----
>
> Add "debug true" to the PAM section in /etc/krb5.conf to make it more
> verbose. See the KDC logs if you get a tgt.
I get a ticket, see below. The debug = true didn't seem to make any
difference...
> Add some pam_warn calls to see if pam actually is called.
> Do you see an bind attepmt in the slapd.log?
Yes.
----- s n i p -----
Mar 15 18:56:51 papadoc tcplogd: port 3389 connection attempt from localhost [127.0.0.1]
Mar 15 18:56:52 papadoc tcplogd: port 3389 connection attempt from papadoc.[MY DOMAIN] [[MY IP]]
----- s n i p -----
> Any tcpwrappers configured?
I was fiddling around with the ACL's and all of a sudden the 'Login incorrect' dissapered.
Now I don't get anything from login, but my logs tell me this:
----- s n i p -----
CHROOT:/# tail -f /var/log/krb5kdc.log
Mar 15 18:54:38 papadoc krb5kdc[274](info): AS_REQ [MY IP](88): NEEDED_PREAUTH: turbo@[MY REALM] for krbtgt/[MY REALM]@[MY REALM], Additional pre-authentication required
Mar 15 18:54:38 papadoc krb5kdc[274](info): AS_REQ [MY IP](88): ISSUE: authtime 984678878, turbo@[MY REALM] for krbtgt/[MY REALM]@[MY REALM]
Mar 15 18:54:38 papadoc krb5kdc[274](info): TGS_REQ [MY IP](88): ISSUE: authtime 984678878, turbo@[MY REALM] for ldap/papadoc.[MY DOMAIN]@[MY REALM]
----- s n i p -----
Nothing in auth.log or any where else...
> > CHROOT:/etc/init.d# ldapsearch -U turbo -H ldaps:/// uidturbo
> > [> will show me the full object of 'turbo', verified by double
> > checking by binding with the BindDN as usual]
>
> You're searching on port 636 (ldaps) here. Try the port you've
> configured in pam|nss_ldap.conf (without SSL and SASL, just simple bind
> as pam_ldap does).
Works fine...
----- s n i p -----
CHROOT:/# ldapsearch -x -D 'uid=turbo,ou=people,[MY BASE DN]' -W -h localhost -p 3389 uid=turbo
[=> will give me the full object]
----- s n i p -----
--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden