| View previous topic :: View next topic |
| Author |
Message |
junky
n00b
Joined: 20 Dec 2002
Posts: 13
|
 Posted: Mon Aug 16, 2004 2:16 pm Post subject: PAM/Ldap problems |
 |
|
Hi,
I'm trying to setup a centralised LDAP server, with clients using it for authentication (all machines are Gentoo). The server running slapd seems to work fine including local authentication via PAM.
I'm now trying to get clients to use the LDAP server for authentication. Using ....
http://www.monkeybox.org.uk/docs/gentoo/ldap.html as guidence.
The clients can succesfully use ldapsearch to query the ldap server. I've made the advised changes to system-auth and nsswitch.conf but PAM seems to ignore these completely when using getent or when attempting to login.
I've added ldap to my USE flags and re-emerged pam_ldap nss_ldap and pam, and rebooted. But still PAM doesn't attempt to use ldap.
Using tcpdump I've monitored the traffic from the client to the server and there isn't a single packet sent from client to server on either of the ldap ports. However there clearly is during an ldapsearch.
I've literaly cut and paste system-auth from the monkeybox.
Has this been seen before ?
Can anybody advise ?
Can I trace PAM ?
Thanks
Junky |
|
| Back to top |
|
 |
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Mon Aug 16, 2004 3:22 pm Post subject: |
|
|
You need to setup /etc/ldap.conf. Both pam and nss uses this file. Even with nsswitch.conf setup correctly, if the ldap server can't be found, it will use the file version of the login credentials.
_________________
Han. |
|
| Back to top |
|
|
junky
n00b
Joined: 20 Dec 2002
Posts: 13
|
| Posted: Mon Aug 16, 2004 8:52 pm Post subject: |
|
|
Hi,
Thanks for the response. If there was a problem with /etc/ldap.conf wouldn't this break ldapsearch ? ldapsearch works fine from the client, hence I think it's a problem with PAM.
Cheers
Junky |
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Tue Aug 17, 2004 6:28 am Post subject: |
|
|
| junky wrote: | Hi,
Thanks for the response. If there was a problem with /etc/ldap.conf wouldn't this break ldapsearch ? ldapsearch works fine from the client, hence I think it's a problem with PAM.
|
Nope. Because ldapsearch uses /etc/openldap/ldap.conf for it's configuration while pam and nss uses /etc/ldap.conf. Notice there are two configuration file with the same name in different locations.
You are right in that sense that PAM is the problem because PAM is not getting the correct configuration from /etc/ldap.conf
_________________
Han. |
|
| Back to top |
|
|
junky
n00b
Joined: 20 Dec 2002
Posts: 13
|
| Posted: Wed Aug 18, 2004 7:14 am Post subject: |
|
|
Han,
You were right. A bit more tweaking of /etc/ldap.conf now means that getent works ! Thanks for your assistance. Any idea why sshd would ignore it though ?
Thanks
Junky |
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Wed Aug 18, 2004 7:53 am Post subject: |
|
|
| junky wrote: | Han,
You were right. A bit more tweaking of /etc/ldap.conf now means that getent works ! Thanks for your assistance. |
No problem.
| junky wrote: | | Any idea why sshd would ignore it though ? |
User authentication is not handle by sshd (at least not with the gentoo default setting) but rather it is using pam to do the authentication. sshd is not really ignoring your ldap server. Problem like yours usually mean that pam can't connect to the ldap server therefore pam fallback to the file base user credentials. Which of course will not find the users that are in the ldap db. 
_________________
Han. |
|
| Back to top |
|
|
junky
n00b
Joined: 20 Dec 2002
Posts: 13
|
| Posted: Thu Aug 19, 2004 12:36 pm Post subject: |
|
|
Han,
Once again you were spot on !
Due to the problems I was having with /etc/ldap.conf, I backed out the changes I had made to system-auth to ensure I didn't lock my self out of the system. Once I fixed up /etc/ldap.conf and put my ldap version system-auth back in place PAM started working.
Thanks again for all your assitance, it is greatly appreciated.
Junky |
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Thu Aug 19, 2004 1:39 pm Post subject: |
|
|
| junky wrote: | Han,
Once again you were spot on ! |
That's the result of 2 months of research and trial plus lot's of error.
| junky wrote: | | Due to the problems I was having with /etc/ldap.conf, I backed out the changes I had made to system-auth to ensure I didn't lock my self out of the system. Once I fixed up /etc/ldap.conf and put my ldap version system-auth back in place PAM started working. |
Humm... As you have also noted that you could get lock out. Maybe it might be a good idea to leave at least your root account in the regular file base credential along with maybe a few system account and groups. It's very easy to get PAM to authenticate user from the file base version if that user is not found in the ldap version. That way, even when your ldap server is down, you can still login to the system.
| junky wrote: | | Thanks again for all your assitance, it is greatly appreciated. |
Glad to, so long as you did not ask me to do your homework.
_________________
Han. |
|
| Back to top |
|
|
Skywacker
n00b
Joined: 23 Jan 2004
Posts: 72
Location: Missouri
|
| Posted: Fri Aug 20, 2004 4:47 pm Post subject: Very similar problem |
|
|
I've been following the http://www.monkeybox.org.uk/docs/gentoo/ldap.html howto as well. I finally got things working in the sense that I can install LDAP, start slapd, migrate data, ldapsearch and find all that data, but getent passwd only returns users from /etc/passwd.
I understand that /etc/ldap.conf is what getent uses. I've copied the example from monkeybox exactly(changing the domain names). I've tried using
Since ldapsearch is working, and it uses /etc/openldap/ldap.conf, I tried mimicking some settings there into /etc/ldap.conf.
I've tried restarted slapd between every change and tail-ing /var/log/messages after each attempt. nothing works, and nothing shows up in the logs.
When slapd is NOT running and I try to ssh in, I get this in the messages log:
Aug 20 11:23:17 b2 sshd[20117]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Aug 20 11:23:17 b2 sshd[20115]: Accepted keyboard-interactive/pam for root from 192.168.0.1 port 13236 ssh2
Aug 20 11:23:17 b2 sshd(pam_unix)[20118]: session opened for user root by root(uid=0)
But if slapd IS running, I get no such complaint, only: b2 slapd[20036]: bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002)
The way I understand it from posts above is ssh relies on pam, pam looks in nsswitch, my nsswitch says to try compat and ldap, it doesn't see the ldap server at all, and checks the password versus /etc/passwd. So when slapd is running, pam CAN contact the LDAP server, but I'm getting no results.
I'll post my relevant config files:
/etc/slapd.conf
| Code: |
#0penLDAP:pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31
# kurtExp$
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Schema and objectClass definitions
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
#include /etc/openldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
Loglevel 0
# Load dynamic backend modules:
# modulepath /usr/lib/openldap/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Password Hash
password-hash {crypt}
# TLS stuff
# Keep the following commented until everything else is working
#
#TLSCertificateFile /etc/ssl/certs/slapdcert.pem
#TLSCertificateKeyFile /etc/ssl/certs/slapdkey.pem
#TLSCACertificateFile /etc/ssl/certs/slapdcert.pem
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=cvucluster,dc=localdomain"
#suffix "o=My Organization Name,c=US"
rootdn "cn=Manager,dc=cvucluster,dc=localdomain"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw {MD5}Nmf1z1bcJZWVpoSbeGQbsg==
rootpw {MD5}myencyptedpassword==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/openldap-ldbm
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
## required to support pdb_getsampwnam
#index uid pres,sub,eq
## required to support pdb_getsambapwrid()
#index displayName pres,sub,eq
## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
index uidNumber eq
index gidNumber eq
index memberUid eq
#index sambaSID eq
#index sambaPrimaryGroupSID eq
#index sambaDomainName eq
index default sub
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/openldap-slurp/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to this database only
access to *
by dn=''uid=root,ou=People,dc=cvucluster,dc=localdomain'' write
by dn="cn=Manager,dc=cvucluster,dc=localdomain" write
by users read
by anonymous auth
by * search
#access to attribute=userPassword,gecos,description,sambaLMPassword,sambaNTPasswo
rd
access to attribute=userPassword,gecos,description
by dn=''cn=Manager,dc=cvucluster.localdomain'' write
by dn=''uid=root,ou=People,dc=cvucluster,dc=localdomain'' write
by self write
by anonymous auth
by * none
#access to everything for manager
access to *
by dn="cn=Manager,dc=cvucluster,dc=localdomain" write
by * read
|
/etc/openldap.ldap.conf
| Code: |
BASE dc=cvucluster, dc=localdomain
TLS_REQCERT allow
URI ldap://b2.cvucluster.localdomain
|
/etc/ldap.conf
| Code: |
host 127.0.0.1
BASE dc=cvucluster,dc=localdomain
URI ldap://b2.cvucluster.localdomain
scope one
pam_filter objectclass=posixaccount
pam_login_attrubute uid
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=cvucluster,dc=localdomain?one
nss_base_shadow ou=People,dc=cvucluster,dc=localdomain?one
nss_base_group ou=Group,dc=cvucluster,dc=localdomain?one
nss_hosts ou=Hosts,dc=cvucluster,dc=localdomain?one
pam_password exop
# if this is the /etc/ldap.conf that is local to the server,
# i.e not a client machine then
# the following can stay commented, else uncomment
#ssl start_tls
#ssl on
#suffix "dc=cvucluster,dc=localdomain"
|
/etc/conf.d/slapd
| Code: |
#OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
|
/etc/pam.d/system-auth
| Code: | #%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_ldap.so use_authtok
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session optional /lib/security/pam_ldap.so
session required /lib/security/pam_unix.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=076
|
/etc/nsswitch.conf
| Code: |
passwd: compat ldap
shadow: compat ldap
group: compat ldap
hosts: files dns ldap
|
and like I said ldapsearch returns results from the ldap server whereas getent does not.
And finally, I emerged openldap pam_ldap nss_ldap migrationtools with these USE flags:
| Code: | | USE="-kde -gnome pam -qt -qtmt -quicktime tcpd -X php mysql openssl f77 ldap ssh tls ssl crpyt " |
Any clues? Thanks in advance!!
-Sky |
|
| Back to top |
|
|
Skywacker
n00b
Joined: 23 Jan 2004
Posts: 72
Location: Missouri
|
| Posted: Fri Aug 20, 2004 5:16 pm Post subject: |
|
|
I changed the logging level to 2048 and now see this in /var/log/messages when I try to ssh in:
| Quote: | pam_ldap: ldap_simple_bind Can't contact LDAP server
Aug 20 11:55:54 b2 sshd[20486]: Accepted keyboard-interactive/pam for root from 192.168.0.1 port 9978 ssh2
Aug 20 11:55:54 b2 sshd(pam_unix)[20491]: session opened for user root by root(uid=0)
|
|
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Sat Aug 21, 2004 6:18 pm Post subject: Re: Very similar problem |
|
|
| Skywacker wrote: |
/etc/ldap.conf
| Code: |
host 127.0.0.1
...
URI ldap://b2.cvucluster.localdomain
...
|
|
Here is your problem. You only need one of the above.
_________________
Han. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
