Re: [pamldap] pam_ldap v99, OpenLDAP v2.0.9 and SASL/Kerberos

[Turbo Fredriksson <turbo@bayour.com>]

Quoting Norbert Klasen <klasen@zdv.uni-tuebingen.de>:

> There is no need for pam_ldap then. Just use pam_krb5 and nss_ldap.

I will do that as soon as I move the chroot'ed OpenLDAP to outside the
chroot... Currently I don't want to disturb a working system...

When using pam_ldap instead of pam_krb5, I get 'Login incorrect', and

----- s n i p -----
Mar 15 19:09:54 papadoc PAM_unix[5494]: check pass; user unknown
Mar 15 19:09:54 papadoc PAM_unix[5494]: authentication failure; (uid=0) -> **unknown** for login service
Mar 15 19:09:58 papadoc login[5494]: FAILED LOGIN (1) on `pts/2' FOR `UNKNOWN', Authentication service cannot retrieve authentication info.
----- s n i p -----

and I don't get any ticket (or any request to the KDC). If I
replace pam_krb5 with pam_ldap I get a ticket, but are not let
in. /bin/login isn't telling me anything, just exist with error
code 1.

> > When trying to login as 'turbo', I get this:
> > ----- s n i p -----
> > CHROOT:/etc/init.d# /bin/login
> > login: turbo
> > Password for turbo@BAYOUR.COM:
> > LDAP Password:
> > Login incorrect
> > ----- s n i p -----
> > 
> > and in the syslog:
> > ----- s n i p -----
> > Mar 14 17:45:37 {HOSTNAME} tcplogd: port 3389 connection attempt from {FQDN} [{IPADDRES}]
> > Mar 14 17:45:44 {HOSTNAME} tcplogd: port 3389 connection attempt from localhost [127.0.0.1]
> > ----- s n i p -----
> 
> Add "debug  true" to the PAM section in /etc/krb5.conf to make it more
> verbose. See the KDC logs if you get a tgt.

I get a ticket, see below. The debug = true didn't seem to make any
difference...

> Add some pam_warn calls to see if pam actually is called.
> Do you see an bind attepmt in the slapd.log?

Yes.

----- s n i p -----
Mar 15 18:56:51 papadoc tcplogd: port 3389 connection attempt from localhost [127.0.0.1]
Mar 15 18:56:52 papadoc tcplogd: port 3389 connection attempt from papadoc.[MY DOMAIN] [[MY IP]]
----- s n i p -----

> Any tcpwrappers configured?


I was fiddling around with the ACL's and all of a sudden the 'Login incorrect' dissapered.
Now I don't get anything from login, but my logs tell me this:

----- s n i p -----
CHROOT:/# tail -f /var/log/krb5kdc.log
Mar 15 18:54:38 papadoc krb5kdc[274](info): AS_REQ [MY IP](88): NEEDED_PREAUTH: turbo@[MY REALM] for krbtgt/[MY REALM]@[MY REALM], Additional pre-authentication required
Mar 15 18:54:38 papadoc krb5kdc[274](info): AS_REQ [MY IP](88): ISSUE: authtime 984678878, turbo@[MY REALM] for krbtgt/[MY REALM]@[MY REALM]
Mar 15 18:54:38 papadoc krb5kdc[274](info): TGS_REQ [MY IP](88): ISSUE: authtime 984678878, turbo@[MY REALM] for ldap/papadoc.[MY DOMAIN]@[MY REALM]
----- s n i p -----

Nothing in auth.log or any where else...

> > CHROOT:/etc/init.d# ldapsearch -U turbo -H ldaps:/// uidturbo
> >  [> will show me the full object of 'turbo', verified by double
> >      checking by binding with the BindDN as usual]
> 
> You're searching on port 636 (ldaps) here. Try the port you've
> configured in pam|nss_ldap.conf (without SSL and SASL, just simple bind
> as pam_ldap does).

Works fine...

----- s n i p -----
CHROOT:/# ldapsearch -x -D 'uid=turbo,ou=people,[MY BASE DN]' -W -h localhost -p 3389 uid=turbo
 [=> will give me the full object]
----- s n i p -----

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden