[Date Prev][Date Next] [Chronological] [Thread] [Top]

test my LDAP server ONLY using ssh?



Can I do this? 

I have OpenLDAP 2.1.12 built from source on a Redhat 7.3 box.  I also
installed pam_ldap and nss_ldap from source.  

I know things are working to some extent, because I was able to
successfully lock everyone out of the box by specifying 'ldap' in the
proper places in my nsswitch file :-P

What I'd like to do now is test by pointing ONLY ssh at the ldap server,
so that if things don't work I can get in by some other means - and the
console if necessary.

I've edited my /etc/pam.d/sshd (it's gone through several iterations)
file so it looks like this (right now):

auth       required     /lib/security/pam_nologin.so
auth       required     /opt/local/lib/security/pam_ldap.so
#auth       required     /lib/security/pam_pwdb.so shadow nodelay
account    required     /opt/local/lib/security/pam_ldap.so
#account    required     /lib/security/pam_pwdb.so
password   required     /opt/local/lib/pam_ldap.so
password   required     /lib/security/pam_cracklib.so
#password   required     /lib/security/pam_pwdb.so shadow nullok
use_authtok
#session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
#session    required     /lib/security/pam_pwdb.so
session     required    /lib/security/pam_ldap.so


And my /etc/ldap.conf file just has the 'host' and 'base' designations
in it.  Here's the log output from the last test I performed - I've put
line breaks between the log entries for easier reading:

Jan 22 15:33:47 current slapd[4072]: conn=29 fd=14 ACCEPT from
IP=128.112.6.64:39097 (IP=0.0.0.0:389) 

Jan 22 15:33:47 current slapd[4074]: conn=29 op=0 BIND dn="" method=128 

Jan 22 15:33:47 current slapd[4074]: conn=29 op=0 RESULT tag=97 err=0
text= 

Jan 22 15:33:47 current slapd[4085]: conn=29 op=1 SRCH
base="dc=my,dc=domain,dc=com" scope=2
filter="(&(objectClass=posixAccount)(uid=jonesy))" 

Jan 22 15:33:47 current slapd[4085]: <= bdb_equality_candidates:
index_param failed (18) 

Jan 22 15:33:47 current slapd[4085]: conn=29 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text= 

Jan 22 15:33:47 current slapd[4074]: conn=29 op=2 SRCH
base="dc=my,dc=domain,dc=com" scope=2
filter="(&(objectClass=shadowAccount)(uid=jonesy))" 

Jan 22 15:33:47 current slapd[4074]: <= bdb_equality_candidates:
index_param failed (18) 

Jan 22 15:33:47 current slapd[4074]: conn=29 op=2 SEARCH RESULT tag=101
err=0 nentries=0 text= 

Jan 22 15:33:57 current slapd[4085]: conn=29 op=3 SRCH
base="dc=my,dc=domain,dc=com" scope=2
filter="(&(objectClass=shadowAccount)(uid=jonesy))" 

Jan 22 15:33:57 current slapd[4085]: <= bdb_equality_candidates:
index_param failed (18) 

Jan 22 15:33:57 current slapd[4085]: conn=29 op=3 SEARCH RESULT tag=101
err=0 nentries=0 text= 

Jan 22 15:34:04 current slapd[4074]: conn=29 op=4 SRCH
base="dc=my,dc=domain,dc=com" scope=2
filter="(&(objectClass=shadowAccount)(uid=jonesy))" 

Jan 22 15:34:04 current slapd[4074]: <= bdb_equality_candidates:
index_param failed (18) 

Jan 22 15:34:04 current slapd[4074]: conn=29 op=4 SEARCH RESULT tag=101
err=0 nentries=0 text= 

Jan 22 15:34:07 current slapd[4072]: conn=29 fd=14 closed 

Here's the entry for the user I'm trying to log in as.  Curiously,
there's no 'shadowAccount' objectClass.  Is this necessary?  I also
notice it's looking for 'posixAccount' first, which is here.

dn: uid=jonesy,ou=People,dc=my,dc=domain,dc=com
uid: jonesy
cn: Brian K. Jones
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 3025
gidNumber: 22
homeDirectory: /home/jonesy
gecos: My gecos field
userPassword:: e1NNRDV....

Thanks for any advice here.