[389-users] PAM PTA partially working

Rich Megginson rmeggins at redhat.com
Tue Sep 22 13:54:52 UTC 2009 

Prashanth Sundaram wrote:
> Hello,
>
> PS: I am sorry to paste such big error log.
>
> I spend some time tweaking around the PAM PTA plug-in, so i can authenticate users against Active Directory. I configured the PAM PTA plug-in, krb5.conf, /etc/pam.d/ldapserver for kerberos authentication against AD.
>
> So to begin with I had only one user in 389-ds which is same as the local account name(uid=psundaram) on the DS. With all the configuration set, I was able to get the ldapsearch working for this user. Even when I change the password on the AD side, I can use the new password to show ldif results.
>
> [root at centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=psundaram,ou=People,dc=fedorads,dc=net" -W -x
>
> [root at centos-lin ~]# less/var/log/dirsrv/slapd-centos-lin/errors/
> [21/Sep/2009:18:08:30 -0400] NSACLPlugin - #### conn=2 op=1 binddn=""
> [21/Sep/2009:18:08:30 -0400] NSACLPlugin - conn=2 op=1 (main): Deny search on entry(cn=change-sie-password,cn=commands,cn=admin-s
> erv-centos-lin,cn=389 administration server,cn=server group,cn=centos-lin.fedorads.net,ou=fedorads.net,o=netscaperoot).attr(nsExe
> cRef) to anonymous: no aci matched the subject by aci(16): aciname= "SIE Group (centos-lin)", acidn="o=netscaperoot"
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net"
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(dc=fedorads,dc=net).attr(objectClass) to uid
> =psundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net"
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p
> sundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net"
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p
> sundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2)
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(dc) to uid=psundaram,
> ou=people,dc=fedorads,dc=net: cached allow by aci(2)
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net"
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(cn=directory administrators,dc=fedorads,dc=n
> et).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(cn=directory administrators,dc=fedorads,dc
> =net).attr(NULL) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on attr): Allow read on entry(cn=directory administrators,dc=fedorads,dc=
> net).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(cn=directory administrators,dc=fedorads,dc=net
> ).attr(cn) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2)
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net"
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(ou=groups,dc=fedorads,dc=net).attr(objectCla
> ss) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(NULL) t
> o uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
> [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(objectClass
> ) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2)
>
>
>
> But when I created another account, uid=tjordan which exists in AD as well (but does not have a local acount like above user) the authentication fails.
>
> [root at centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=tjordan,ou=People,dc=fedorads,dc=net" -W -x
> Enter LDAP Password:
> ldap_bind: Operations error (1)
>         additional info: Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjordan,ou=people,dc=fedorads,dc=net]
>
>
> less /var/log/dirsrv/slapd-centos-lin/errors
> [21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Error from PAM during pam_authenticate (6: Permission denied)
> [21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjor
> dan,ou=people,dc=fedorads,dc=net]
>
>
> >From what I see, there is something related to anonymous bind, but I am not sure what that is. Can someone help me understand what the problem is and how can I fix, If you know?
>   
Does it work if you create a local user account for uid=tjordan?
>
> Here is my PAM PTA
> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
> cn: PAM Pass Through Auth
> nsslapd-pluginPath: libpam-passthru-plugin
> nsslapd-pluginInitfunc: pam_passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-pluginloadglobal: true
> nsslapd-plugin-depends-on-type: database
> pamMissingSuffix: ALLOW
> pamExcludeSuffix: cn=config
> pamExcludeSuffix: o=NetscapeRoot
> pamIDMapMethod: RDN
> pamIDAttr: notUsedWithRDNMethod
> pamFallback: FALSE
> pamSecure: FALSE
> pamService: ldapserver
> nsslapd-pluginId: pam_passthruauth
> nsslapd-pluginVersion: 1.2.2
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginDescription: PAM pass through authentication plugin
> modifiersName: cn=directory manager
> modifyTimestamp: 20090921225438Z
>
>
>
> Thanks,
> Prashanth
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090922/8ee5e087/attachment.bin>

More information about the Fedora-directory-users mailing list