[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Ldap authentication issue with PAM



Troubleshooting this requires more info:

1. What's the OS/Linux-flavour? CentOS/RHEL have a pretty painless way to enable LDAP auth, AFAIK.

2. I maybe reading the ACLs wrong but you allow anonymous auth for attribute "userPassword" but for all other attributes, anon has no rights. How will the auth session read user info from LDAP?

 

 

- Siddhartha

 

 

 

-----Original Message-----
From: openldap-technical-bounces+sjain=silverspringnet.com@openldap.org [mailto:openldap-technical-bounces+sjain=silverspringnet.com@openldap.org] On Behalf Of Indexer
Sent: Monday, May 03, 2010 12:52 AM
To: openldap-technical@openldap.org
Subject: Ldap authentication issue with PAM

 

I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log

 

May  4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1

 

I can succesfully search the ldap with this user binding to the ldap

 

ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)'

Enter LDAP Password:

# extended LDIF

#

# LDAPv3

# base <dc=chocolate,dc=lan> (default) with scope subtree

# filter: (uid=william)

# requesting: ALL

#

 

# william, Admin, chocolate.lan

dn: uid=william,ou=Admin,dc=chocolate,dc=lan

uid: william

cn: william

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

objectClass: top

loginShell: /bin/bash

uidNumber: 10000

gidNumber: 10000

homeDirectory: /home/william

userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE=

gecos: William Brown,,,,

description: William Brown

shadowLastChange: 1

shadowMax: 0

shadowExpire: 0

 

# search result

search: 2

result: 0 Success

 

# numResponses: 2

# numEntries: 1

 

Slapd when trying to authenticate shows this.

 

/usr/local/libexec/slapd -4 -d 256

 

slapd starting

conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389)

conn=0 op=0 BIND dn="" method=128

conn=0 op=0 RESULT tag=97 err=0 text=

connection_input: conn=0 deferring operation: binding

conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"

conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber

conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"

conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber

conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

conn=0 fd=10 closed (connection lost)

conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389)

conn=1 op=0 BIND dn="" method=128

conn=1 op=0 RESULT tag=97 err=0 text=

connection_input: conn=1 deferring operation: binding

conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"

conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire

<= bdb_equality_candidates: (uid) not indexed

conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389)

conn=2 op=0 BIND dn="" method=128

conn=2 op=0 RESULT tag=97 err=0 text=

connection_input: conn=2 deferring operation: binding

conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"

conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire

<= bdb_equality_candidates: (uid) not indexed

conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"

conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire

<= bdb_equality_candidates: (uid) not indexed

conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

conn=2 fd=12 closed (connection lost)

conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389)

conn=3 op=0 BIND dn="" method=128

conn=3 op=0 RESULT tag=97 err=0 text=

connection_input: conn=3 deferring operation: binding

conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"

conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire

<= bdb_equality_candidates: (uid) not indexed

conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"

conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire

<= bdb_equality_candidates: (uid) not indexed

conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

conn=3 fd=12 closed (connection lost)

conn=1 fd=10 closed (connection lost)

 

 

Here is my /etc/ldap.conf

base dc=chocolate,dc=lan

suffix dc=chocolate,dc=lan

uri ldap://ldap.srv.chocolate.lan

ldap_version 3

rootbinddn cn=Manager,dc=chocolate,dc=lan

scope one

timelimit 3

bind_timelimit 3

bind_policy soft

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_check_host_attr no

pam_member_attribute memberuid

pam_password exop

nss_reconnect_tries 4                   # number of times to double the sleep time

nss_reconnect_sleeptime 1               # initial sleep value

nss_reconnect_maxsleeptime 16   # max sleep value to cap at

nss_reconnect_maxconntries 2    # how many tries before sleeping

nss_base_passwd         ou=Admin,dc=chocolate,dc=lan?one

nss_base_passwd         ou=People,dc=chocolate,dc=lan?one

nss_base_shadow         ou=Admin,dc=chocolate,dc=lan?one

nss_base_shadow         ou=People,dc=chocolate,dc=lan?one

nss_base_group          ou=Nemo,ou=Group,dc=chocolate,dc=lan?one

nss_base_group          ou=Marvin,ou=Group,dc=chocolate,dc=lan?one

ssl off

 

Here is /etc/openldap/slapd.conf

 

include         /usr/local/etc/openldap/schema/core.schema

include         /usr/local/etc/openldap/schema/cosine.schema

include          /usr/local/etc/openldap/schema/inetorgperson.schema

include          /usr/local/etc/openldap/schema/nis.schema

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

modulepath      /usr/local/libexec/openldap

moduleload      back_bdb

access to attrs=userPassword

       by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write

       by anonymous auth

       by self write

       by * none

access to *

       by self write

       by users read

database        bdb

suffix          "dc=chocolate,dc=lan"

rootdn          "cn=Manager,dc=chocolate,dc=lan"

rootpw          {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm

directory       /var/db/openldap-data

index   objectClass     eq

index   uid     eq

password-hash {SSHA}

 

Here is the /etc/openldap/ldap.conf from both the client and server

 

BASE    dc=chocolate,dc=lan

URI     ldap://ldap.srv.chocolate.lan

 

Any help with this would be greatly appreciated

 

William