[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

LDAP + PAM



Hi there guys, I'm asking here cuz in openldap mailing list I was banned cuz they say that PAM is off-topic and not LDAP related.

My goal is to get rid of /etc/passwd file and autenticate my users via LDAP database,

So, here is what I've done,

System opensuse 10.1

commmon-auth
auth required pam_env.so
auth required pam_unix2.so
auth sufficient pam_ldap.so

common-account
account required pam_unix2.so
account sufficient pam_ldap.so

login
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
auth sufficient pam_ldap.so

auth required pam_mail.so
account include common-account
password include common-password
session include common-session
session required pam_resmgr.so


common-session
session required pam_limits.so
session required pam_unix2.so
session sufficient pam_ldap.so


ssh

#%PAM-1.0
auth include common-auth
auth required pam_nologin.so
account include common-account
password include common-password
session include common-session



The user netwarrior is not part of the passwd unix system, cuz I wanna get rid of it, I wanna all my users reside in the LDAP dtabase.
netwarrior was added like this : smbldap-useradd netwarrior
Then:
linux:/usr/local/sbin # ./smbldap-usershow netwarrior

dn: uid=netwarrior,ou=Users,dc=netwarrior,dc=com
objectClass: top,inetOrgPerson,posixAccount,shadowAccount
cn: netwarrior
sn: netwarrior
uid: netwarrior
uidNumber: 1005
gidNumber: 513
homeDirectory: /home/netwarrior
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {SSHA}wcM+uu6ExMHrxWOebO2wVQ/rwMpmWDNI
linux:/usr/local/sbin #

linux:/usr/local/sbin # ./smbldap-passwd netwarrior and gave it a password

When trying , for example ssh netwarrior suse from a remote machine using ssh I get:

NOTE This remote machine does not authenticate to the LDAP server or whatever, PDC and so on, just try to make an ssh connection using a known user.

tail -f /var/log/messages
Oct 9 22:05:32 linux sshd[7005]: Invalid user netwarrior from 172.16.4.100


Oct 9 22:06:16 linux slapd[6910]: conn=10 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=netwarrior)"
Oct 9 22:06:16 linux slapd[6910]: send_ldap_result: conn=10 op=2 p=3
Oct 9 22:06:16 linux slapd[6910]: send_ldap_result: err=10 matched="" text=""
Oct 9 22:06:16 linux slapd[6910]: send_ldap_response: msgid=3 tag=101 err=32
Oct 9 22:06:16 linux sshd[7010]: pam_ldap: ldap_search_s No such object
Oct 9 22:06:16 linux sshd[7008]: error: PAM: User not known to the underlying authentication module for illegal user netwarrior from freebsd

Oct 9 22:06:16 linux slapd[6910]: conn=10 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
Oct 9 22:06:16 linux slapd[6910]: daemon: activity on 1 descriptors
Oct 9 22:06:16 linux slapd[6910]: daemon: activity on:
Oct 9 22:06:16 linux slapd[6910]: 12r
Oct 9 22:06:16 linux slapd[6910]:
Oct 9 22:06:16 linux slapd[6910]: daemon: read activity on 12
Oct 9 22:06:16 linux slapd[6910]: connection_get(12)
Oct 9 22:06:16 linux slapd[6910]: connection_get(12): got connid=10
Oct 9 22:06:16 linux slapd[6910]: connection_read(12): checking for input on id=10
Oct 9 22:06:16 linux slapd[6910]: ber_get_next on fd 12 failed errno=0 (Success)
Oct 9 22:06:16 linux slapd[6910]: connection_read(12): input error=-2 id=10, closing.
Oct 9 22:06:16 linux sshd[7008]: Failed keyboard-interactive/pam for invalid user netwarrior from 172.16.4.100 port 57885 ssh2


example??? -> the base dn is netwarrior, where did it take "dc=example,dc=com", what I am missing

ldap.conf in the server machine is like this

#BASE dc=netwarrior,dc=com
#URI ldap://127.0.0.1
#HOST 127.0.0.1

#TLS_CACERT /etc/ssl/server.crt
#TLS_REQCERT demand


#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow

#nss_base_passwd ou=Users,dc=netwarrior,dc=com?one
#nss_base_shadow ou=Users,dc=netwarrior,dc=com?one
#nss_base_group ou=Groups,dc=netwarrior,dc=com?one

BASE, URI, HOST and nss* uncommented make no difference.


slapd.conf reads like this:
TLSCipherSuite HIGH:MEDIUM:+SSLv3
#TLSCACertificateFile /etc/ssl/server.csr
TLSCertificateFile /etc/ssl/server.crt
TLSCertificateKeyFile /etc/ssl/server.key
TLSVerifyClient try

In sshd_conf I've got.
UsePAM yes



Thanks in advance, sorry for the noise.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]