[389-users] PAM PTA partially working
Prashanth Sundaram
psundaram at wgen.net
Tue Sep 22 03:02:43 UTC 2009
Hello,
PS: I am sorry to paste such big error log.
I spend some time tweaking around the PAM PTA plug-in, so i can authenticate users against Active Directory. I configured the PAM PTA plug-in, krb5.conf, /etc/pam.d/ldapserver for kerberos authentication against AD.
So to begin with I had only one user in 389-ds which is same as the local account name(uid=psundaram) on the DS. With all the configuration set, I was able to get the ldapsearch working for this user. Even when I change the password on the AD side, I can use the new password to show ldif results.
[root at centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=psundaram,ou=People,dc=fedorads,dc=net" -W -x
[root at centos-lin ~]# less/var/log/dirsrv/slapd-centos-lin/errors/
[21/Sep/2009:18:08:30 -0400] NSACLPlugin - #### conn=2 op=1 binddn=""
[21/Sep/2009:18:08:30 -0400] NSACLPlugin - conn=2 op=1 (main): Deny search on entry(cn=change-sie-password,cn=commands,cn=admin-s
erv-centos-lin,cn=389 administration server,cn=server group,cn=centos-lin.fedorads.net,ou=fedorads.net,o=netscaperoot).attr(nsExe
cRef) to anonymous: no aci matched the subject by aci(16): aciname= "SIE Group (centos-lin)", acidn="o=netscaperoot"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(dc=fedorads,dc=net).attr(objectClass) to uid
=psundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p
sundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p
sundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2)
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(dc) to uid=psundaram,
ou=people,dc=fedorads,dc=net: cached allow by aci(2)
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(cn=directory administrators,dc=fedorads,dc=n
et).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(cn=directory administrators,dc=fedorads,dc
=net).attr(NULL) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on attr): Allow read on entry(cn=directory administrators,dc=fedorads,dc=
net).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(cn=directory administrators,dc=fedorads,dc=net
).attr(cn) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2)
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(ou=groups,dc=fedorads,dc=net).attr(objectCla
ss) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(NULL) t
o uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(objectClass
) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2)
But when I created another account, uid=tjordan which exists in AD as well (but does not have a local acount like above user) the authentication fails.
[root at centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=tjordan,ou=People,dc=fedorads,dc=net" -W -x
Enter LDAP Password:
ldap_bind: Operations error (1)
additional info: Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjordan,ou=people,dc=fedorads,dc=net]
less /var/log/dirsrv/slapd-centos-lin/errors
[21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Error from PAM during pam_authenticate (6: Permission denied)
[21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjor
dan,ou=people,dc=fedorads,dc=net]
>From what I see, there is something related to anonymous bind, but I am not sure what that is. Can someone help me understand what the problem is and how can I fix, If you know?
Here is my PAM PTA
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamExcludeSuffix: o=NetscapeRoot
pamIDMapMethod: RDN
pamIDAttr: notUsedWithRDNMethod
pamFallback: FALSE
pamSecure: FALSE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.2.2
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: PAM pass through authentication plugin
modifiersName: cn=directory manager
modifyTimestamp: 20090921225438Z
Thanks,
Prashanth
More information about the Fedora-directory-users
mailing list