LDAP + PAM

Net Warrior netwarrior863 at gmail.com
Wed Oct 11 13:48:57 UTC 2006 

Hi there guys, I'm asking here cuz in openldap mailing list I was banned cuz
they say that PAM is off-topic and not LDAP related.

My goal is to get rid of /etc/passwd file and autenticate my users via LDAP
database,

So, here is what I've done,

System opensuse 10.1

commmon-auth
auth required pam_env.so
auth required pam_unix2.so
auth sufficient pam_ldap.so

common-account
account required pam_unix2.so
account sufficient pam_ldap.so

login
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
auth sufficient pam_ldap.so

auth required pam_mail.so
account include common-account
password include common-password
session include common-session
session required pam_resmgr.so


common-session
session required pam_limits.so
session required pam_unix2.so
session sufficient pam_ldap.so


ssh

#%PAM-1.0
auth include common-auth
auth required pam_nologin.so
account include common-account
password include common-password
session include common-session



The user netwarrior is not part of the passwd unix system, cuz I wanna get
rid of it, I wanna all my users reside in the LDAP dtabase.
netwarrior was added like this : smbldap-useradd netwarrior
Then:
linux:/usr/local/sbin # ./smbldap-usershow netwarrior

dn: uid=netwarrior,ou=Users,dc=netwarrior,dc=com
objectClass: top,inetOrgPerson,posixAccount,shadowAccount
cn: netwarrior
sn: netwarrior
uid: netwarrior
uidNumber: 1005
gidNumber: 513
homeDirectory: /home/netwarrior
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {SSHA}wcM+uu6ExMHrxWOebO2wVQ/rwMpmWDNI
linux:/usr/local/sbin #

linux:/usr/local/sbin # ./smbldap-passwd netwarrior and gave it a password

When trying , for example ssh netwarrior at suse from a remote machine using
ssh I get:

NOTE This remote machine does not authenticate to the LDAP server or
whatever, PDC and so on, just try to make an ssh connection using a known
user.

tail -f /var/log/messages
Oct 9 22:05:32 linux sshd[7005]: Invalid user netwarrior from 172.16.4.100


Oct 9 22:06:16 linux slapd[6910]: conn=10 op=2 SRCH base="dc=example,dc=com"
scope=2 deref=0 filter="(uid=netwarrior)"
Oct 9 22:06:16 linux slapd[6910]: send_ldap_result: conn=10 op=2 p=3
Oct 9 22:06:16 linux slapd[6910]: send_ldap_result: err=10 matched=""
text=""
Oct 9 22:06:16 linux slapd[6910]: send_ldap_response: msgid=3 tag=101 err=32

Oct 9 22:06:16 linux sshd[7010]: pam_ldap: ldap_search_s No such object
Oct 9 22:06:16 linux sshd[7008]: error: PAM: User not known to the
underlying authentication module for illegal user netwarrior from freebsd

Oct 9 22:06:16 linux slapd[6910]: conn=10 op=2 SEARCH RESULT tag=101 err=32
nentries=0 text=
Oct 9 22:06:16 linux slapd[6910]: daemon: activity on 1 descriptors
Oct 9 22:06:16 linux slapd[6910]: daemon: activity on:
Oct 9 22:06:16 linux slapd[6910]: 12r
Oct 9 22:06:16 linux slapd[6910]:
Oct 9 22:06:16 linux slapd[6910]: daemon: read activity on 12
Oct 9 22:06:16 linux slapd[6910]: connection_get(12)
Oct 9 22:06:16 linux slapd[6910]: connection_get(12): got connid=10
Oct 9 22:06:16 linux slapd[6910]: connection_read(12): checking for input on
id=10
Oct 9 22:06:16 linux slapd[6910]: ber_get_next on fd 12 failed errno=0
(Success)
Oct 9 22:06:16 linux slapd[6910]: connection_read(12): input error=-2 id=10,
closing.
Oct 9 22:06:16 linux sshd[7008]: Failed keyboard-interactive/pam for invalid
user netwarrior from 172.16.4.100 port 57885 ssh2


example??? -> the base dn is netwarrior, where did it take
"dc=example,dc=com", what I am missing

ldap.conf in the server machine is like this

#BASE dc=netwarrior,dc=com
#URI ldap://127.0.0.1
#HOST 127.0.0.1

#TLS_CACERT /etc/ssl/server.crt
#TLS_REQCERT demand


#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow

#nss_base_passwd ou=Users,dc=netwarrior,dc=com?one
#nss_base_shadow ou=Users,dc=netwarrior,dc=com?one
#nss_base_group ou=Groups,dc=netwarrior,dc=com?one

BASE, URI, HOST and nss* uncommented make no difference.


slapd.conf reads like this:
TLSCipherSuite HIGH:MEDIUM:+SSLv3
#TLSCACertificateFile /etc/ssl/server.csr
TLSCertificateFile /etc/ssl/server.crt
TLSCertificateKeyFile /etc/ssl/server.key
TLSVerifyClient try

In sshd_conf I've got.
UsePAM yes



Thanks in advance, sorry for the noise.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20061011/d1d23120/attachment.htm>

More information about the Pam-list mailing list