[Date Prev][Date Next] [Chronological] [Thread] [Top]

ssh -> pam_ldap -> openldap -> sasl -> pam_radius



I know it sounds crazy but it actually almost works now.  I have tested
using ldapsearch a query against the ldap sever (and using
testsaslauthd) and it successfully talks to sasl , in which saslauthd
uses pam (running as saslauthd -a pam reading /etc/pam.d/ldap) which is
configured to talk pam_radius.so to a radius server for authentication. 
So the latter half of this works.  The problem i have is between
ssh->pam->pam_ldap.

 The problem i am having is that if there is no local account on the
box, ssh never uses pam_ldap to try and authenticate the user against
ldap server and pull out all the Posix account info for login.  Any help
would be appreciated, here are my config files.  This is on a redhat 8.0
linux box btw.

/etc/pam.d/sshd
-----------------------------
#%PAM-1.0
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so debug
auth       required     /lib/security/pam_unix.so shadow nullok
use_first_pass
account    sufficient   /lib/security/pam_ldap.so debug
account    required     /lib/security/pam_unix.so
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_unix.so nullok use_authok
shadow
session    required     /lib/security/pam_unix.so
session    optional     /lib/security/pam_console.so

/etc/ldap.conf
-----------------
host 127.0.0.1
base dc=domain,dc=com
uri ldap://127.0.0.1/
ldap_version 3
ssl start_tls
tls_checkpeer no
SASL_SECPROPS none

/usr/local/etc/openldap/slapd.conf
-------------------------------------
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema

access to dn=".*,dc=domain,dc=com" attr=userPassword
        by self write
        by * auth
 
access to dn=".*,dc=domain,dc=com"
        by * read

sasl-secprops   none
database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=Manager,dc=domain,dc=com"
index   objectClass     eq
TLSCertificateFile /usr/local/etc/openldap/certs/slapdcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/certs/slapdkey.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv2

/usr/lib/sasl2/slapd.conf
-------------------------
pwcheck_method: saslauthd


 any help would be greatly appreciated.

thanks
adam