[Date Prev][Date Next] [Chronological] [Thread] [Top]

What am I doing wrong...



Hi,

I'm hoping someone might be able to tell me what is going wrong with my ldap
setup.  I am trying to use ldap for system authentication instead of the
usual /etc/passwd.  Currently I am testing through ssh.

I have successfully installed openldap 2.0.12, put a test user in, changed
the nss_switch, and pam files to get authentication queries going to the ldap
server, but authentications always fail.  I have enabled debugging and seen
that authentications are asked of the ldap server.  I can also use the
command line to query the server and get an answer back about the user I have
there.  I have seen from other posts that the error I see in the debugging,
"ldap_read: want=1 error=Resource temporarily unavailable", is supposed to be
not important.

I really don't know what to do any more with this one.  Does anyone have any
idea what I should do to get authentication tusing an ldap server working
properly?

Thanks
Ian
PS: Sorry for the size of the mail, but I think to get the problem solved,
the information here will be needed.

- - - -

My slapd.conf file:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/krb5-kdc.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nadf.schema
include         /etc/openldap/schema/openldap.schema

schemacheck     on

timelimit 30

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

database        ldbm
directory       /var/lib/ldap

suffix  "dc=shnet,dc=at"

rootdn  "uid=Manager,dc=shnet,dc=at"
rootpw <You didn't think I would give you that, did you?>

access to attr=userPassword,ldapPassword,clearTextPassword
 by * read
access to *
 by dn="uid=Manager,dc=shnet,dc=at" write
 by * read

- - - -

My ldif file:

dn: uid=ian,dc=shnet,dc=at
changetype: modify
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: posixAccount
uid: ian
uidNumber: 500
gidNumber: 100
homeDirectory: /home/ian
userPassword: apassword
loginShell: /bin/bash
description: A user
cn: A User
sn: User
mail: ian@localhost
telephonenumber: +1 234 5678
facsimiletelephonenumber: +1 234 5679
postaladdress: An Address
roomnumber: 2

- - - -

Command line used to add the user:

# ldapadd -v -x -D "uid=Manager,dc=shnet,dc=at" -w root -f
ldif.person_information_a_user

ldap_initialize( <DEFAULT> )
add objectclass:
        top
        person
        inetOrgPerson
        posixAccount
add uid:
        ian
add uidNumber:
        500
add gidNumber:
        100
add homeDirectory:
        /home/ian
add userPassword:
        apassword
add loginShell:
        /bin/bash
add description:
        A user
add cn:
        A User
add sn:
        User
add mail:
        ian@localhost
add telephonenumber:
        +1 234 5678
add facsimiletelephonenumber:
        +1 234 5679
add postaladdress:
        An Address
add roomnumber:
        2
adding new entry "uid=ian,dc=shnet,dc=at"
modify complete

- - - -

Output of command line query on the ldap server:

# ldapsearch -x -b 'dc=shnet,dc=at' '(&(objectClass=posixAccount)(uid=ian))'
version: 2

#
# filter: (&(objectClass=posixAccount)(uid=ian))
# requesting: ALL
#

# ian, shnet, at
dn: uid=ian, dc=shnet,dc=at
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
uid: ian
uidNumber: 500
gidNumber: 100
homeDirectory: /home/ian
userPassword:: QVBhc3N3b3Jk
loginShell: /bin/bash
description: A user
cn: Ian Ballantyne
sn: Ballantyne
mail: ian@onlineloop.com
telephoneNumber: +43 676 311 9190
facsimileTelephoneNumber: +1 805 697 0518
postalAddress: Maerzstrasse 52/8, 1150 Wien
roomNumber: 2

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

- - - -

My /etc/nssswitch.conf file:

passwd: ldap files
shadow: ldap files nis
group:  ldap files

hosts:  files dns
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files
aliases:        files

- - - -

My /etc/pam.d/sshd file:

#%PAM-1.0
auth     sufficient    pam_ldap.so
auth     required      pam_nologin.so
auth     required      pam_unix.so      use_first_pass # set_secrpc
account  required      pam_unix.so
password required      pam_pwcheck.so
password sufficient    pam_ldap.so      use_authtok
password required      pam_unix.so      use_first_pass use_authtok
session  sufficient    pam_ldap.so
session  required      pam_unix.so
session  required      pam_limits.so
session  required      pam_env.so
session  optional      pam_mail.so

- - - -

My /etc/pam.d/login file:

auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so

- - - -

My /etc/pam.d/passwd file
#%PAM-1.0
auth     sufficient     /lib/security/pam_ldap.so
auth     required       /lib/security/pam_unix.so      nullok use_first_pass
account  sufficient     /lib/security/pam_ldap.so
account  required       /lib/security/pam_unix.so
password sufficient     /lib/security/pam_ldap.so      use_first_pass
use_authtok
password required       /lib/security/pam_pwcheck.so   nullok
password required       /lib/security/pam_unix.so      nullok use_first_pass
use_aut
session  required       /lib/security/pam_unix.so

- - - -

And finally, debugging output when I try to log on to the system (level is
490):

daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
ldap_read: want=1, got=1
  0000:  30                                                 0
ldap_read: want=1, got=1
  0000:  05                                                 .
ldap_read: want=5, got=5
  0000:  02 01 03 42 00                                     ...B.
ldap_read: want=1, got=0

conn=18 op=2 UNBIND
daemon: removing 9
conn=-1 fd=9 closed
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 9
daemon: conn=20 fd=9 connection from IP=195.26.207.165:3142 (IP=:: 34049)
accepted.
daemon: added 9r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
ldap_read: want=1, got=1
  0000:  30                                                 0
ldap_read: want=1, got=1
  0000:  0c                                                 .
ldap_read: want=12, got=12
  0000:  02 01 01 60 07 02 01 02  04 00 80 00               ...`........
ldap_read: want=1 error=Resource temporarily unavailable
conn=20 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 9
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........
conn=20 op=0 RESULT tag=97 err=0 text=
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
ldap_read: want=1, got=1
  0000:  30                                                 0
ldap_read: want=1, got=1
  0000:  51                                                 Q
ldap_read: want=81, got=81
  0000:  02 01 02 63 4c 04 0e 64  63 3d 73 68 6e 65 74 2c   ...cL..dc=shnet,
  0010:  64 65 3d 61 74 0a 01 02  0a 01 00 02 01 01 02 01   de=at...........
  0020:  00 01 01 00 a0 29 a3 1b  04 0b 6f 62 6a 65 63 74   .....)....object
  0030:  63 6c 61 73 73 04 0c 70  6f 73 69 78 41 63 63 6f   class..posixAcco
  0040:  75 6e 74 a3 0a 04 03 75  69 64 04 03 69 61 6e 30   unt....uid..ian0
  0050:  00                                                 .
ldap_read: want=1 error=Resource temporarily unavailable
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
end get_filter 0
begin get_filter
EQUALITY
end get_filter 0
end get_filter_list
end get_filter 0
conn=20 op=1 SRCH base="dc=shnet,de=at" scope=2
filter="(&(objectClass=posixAccount)(uid=ian))"
ber_flush: 14 bytes to sd 9
  0000:  30 0c 02 01 02 65 07 0a  01 20 04 00 04 00         0....e... ....
ldap_write: want=14, written=14
  0000:  30 0c 02 01 02 65 07 0a  01 20 04 00 04 00         0....e... ....
daemon: select: listen=6 active_threads=1 tvp=NULL
conn=20 op=1 RESULT tag=101 err=32 text=
daemon: activity on 1 descriptors
daemon: new connection on 13
daemon: conn=21 fd=13 connection from IP=195.26.207.165:3143 (IP=:: 34049)
accepted.
daemon: added 13r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
ldap_read: want=1, got=1
  0000:  80                                                 .
ldap_read: want=1, got=1
  0000:  7a                                                 z
ldap_read: want=122, got=122
  0000:  01 03 01 00 51 00 00 00  20 00 00 16 00 00 13 00   ....Q... .......
  0010:  00 0a 07 00 c0 00 00 66  00 00 05 00 00 04 03 00   .......f........
  0020:  80 01 00 80 08 00 80 00  00 65 00 00 64 00 00 63   .........e..d..c
  0030:  00 00 62 00 00 61 00 00  60 00 00 15 00 00 12 00   ..b..a..`.......
  0040:  00 09 06 00 40 00 00 14  00 00 11 00 00 08 00 00   ....@...........
  0050:  06 00 00 03 04 00 80 02  00 80 fd e0 04 39 8a 84   .............9..
  0060:  11 d2 76 d3 06 3d fb 37  7f 28 36 72 31 0f ca 99   ..v..=.7.(6r1...
  0070:  1c 27 f6 bf 47 95 60 86  0b fa                     .'..G.`...
daemon: removing 13
conn=-1 fd=13 closed
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL

-------------------------------------------------------