[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP authentication fails

To: openldap-technical@openldap.org
Subject: LDAP authentication fails
From: Abhinav Jauhri <aj910martin@gmail.com>
Date: Mon, 6 Feb 2012 13:16:03 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=A8/9pLeUYKgOnGHsklUTucP34gN8xABMCy+pVTDuPCU=; b=vm4QG3ifgqRdxj3jD52gwoB+rScPZ2qipkIAcQ/Ycj536GMLpZ1cIg8dWbU/x6pydL 5DcGq5fZhmqUWKHLBZtXGUVT4Merud/ZifRBodHnt1LFJ5O+SGRuiMVzVBivIwHu0mIk 33HrMCsSyeJsdd7ZJmu9negri8OA0rbeJh1l8=

Hi,

I have two client machines(CLIENT1 & CLIENT2) on which users are authenticated using a LDAP_SERVER. They also have autofs to mount the home directory at login.

The issue is that on CLIENT1 authentication and mount works fine, but not on CLIENT2. Although, both have the same configuration files.

Errors on CLIENT2:
Case 1: When PasswordAuthentication is set to No in sshd_config
ssh user@client2.isl.com
Permission denied (publickey).

Case 2: When PasswordAuthentication is commented in sshd_config
ssh user@client2.com
user@clent2.isl.com's password:
Linux client2.isl.com 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:05:01 UTC 2009 x86_64
Creating directory '/home/user'.
Unable to create and initialize directory '/home/user'.

Configurations files on CLIENT2:
1) /etc/pam.d/sshd
auth       required     pam_env.so # [1]
auth       required     pam_env.so envfile=/etc/default/locale
@include common-auth
account    required     pam_nologin.so
@include common-account
@include common-session
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
@include common-password

2) /etc/ldap.conf
base dc=auth,dc=ldap_server,dc=isl,dc=com
uri ldaps://192.169.214.54
ldap_version 3
rootbinddn cn=admin,dc=ldap_server,dc=isl,dc=com
pam_password md5
ssl start_tls
ssl on
tls_checkpeer yes
tls_cacertfile /etc/ssl/certs/ldap_server.isl.com.pem

3) /etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

4) /etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile    %h/.ssh/authorized_keys

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no

ChallengeResponseAuthentication no

#PasswordAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

5) /etc/auto.home
*            192.169.214.54:/home/&

6) /etc/auto.master
+auto.master
/home         /etc/auto.home

Also, there exist no local user by the same name in any of the client machines. The public keys are correctly inserted in the //LDAP_SERVER/home/user/.ssh/authorized_keys or else login wouldn't have been possible on CLIENT1. `getent passwd` on CLIENT2 shows all LDAP users.

Any suggestions would be of great help.
Thanks!
--
Abhinav

Prev by Date: Re: Search on whole tree gives result, search on subtree not
Next by Date: Re: Help on ACL
Index(es):
- Chronological
- Thread