LDAP + PAM

[Yu Wang]

(The right place to ask this is the pam_ldap mailing list. Visit
www.padl.com  for more details).

For your problem, first check /etc/nsswitch.conf and make sure ldap is
listed in passwd, group. Next, make sure your ldap server is up and
listen to a public interface other than 127.0.0.1 (use nmap, netstat,
etc to verify) and you can talk to it on your server and from your
client (ldapsearch). Then, in your client machine modify /etc/ldap.conf,
you need following entries (yours are commented out)
1. base ou=Users,dc=netwarrior,dc=com
2. uri ldap://suse.netwarrior.com
3. port 636
4. binddn the_account_to_do_bind
5. bindpw the_password
6. nss_base_passwd        ou=Users,dc=netwarrior,dc=com?sub
7. nss_base_group          ou=Users,dc=netwarrior,dc=com?sub
8. ssl no (take TLS out of equation first, you can added it later after
you make the non-ssl one work)


Save it and try run command: getent passwd netwarrior
If you see returns, it means your nss is working.
Then you need to twinkle /etc/pam.d/sshd to make pam working. 
Since netwarrior is an account in ldap, pam_unix will return fail, if
you make it as "required", then the whole pam stack will end with
failure. In you auth and account part, you put "required", it would
cause trouble. You may also want to add "use_first_pass" to the next pam
auth module so it won't keep asking user to type in password.

Hope this helps.

Yu Wang
System Administrator
Department of Computer Science
Florida State University
Go Noles! ===;;>>



-----Original Message-----
From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com]
On Behalf Of Net Warrior
Sent: Wednesday, October 11, 2006 9:49 AM
To: PAM Mailing List
Subject: LDAP + PAM

Hi there guys, I'm asking here cuz in openldap mailing list I was banned
cuz they say that PAM is off-topic and not LDAP related.

My goal is to get rid of /etc/passwd file and autenticate my users via
LDAP database, 

So, here is what I've done,

System opensuse 10.1

commmon-auth 
auth required pam_env.so
auth required pam_unix2.so
auth sufficient pam_ldap.so

common-account
account required pam_unix2.so 
account sufficient pam_ldap.so

login
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
auth sufficient pam_ldap.so

auth required pam_mail.so
account include common-account 
password include common-password
session include common-session
session required pam_resmgr.so


common-session
session required pam_limits.so
session required pam_unix2.so 
session sufficient pam_ldap.so 


ssh

#%PAM-1.0
auth include common-auth
auth required pam_nologin.so
account include common-account
password include common-password 
session include common-session



The user netwarrior is not part of the passwd unix system, cuz I wanna
get rid of it, I wanna all my users reside in the LDAP dtabase. 
netwarrior was added like this : smbldap-useradd netwarrior 
Then:
linux:/usr/local/sbin # ./smbldap-usershow netwarrior

dn: uid=netwarrior,ou=Users,dc=netwarrior,dc=com
objectClass: top,inetOrgPerson,posixAccount,shadowAccount 
cn: netwarrior
sn: netwarrior
uid: netwarrior
uidNumber: 1005
gidNumber: 513
homeDirectory: /home/netwarrior
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {SSHA}wcM+uu6ExMHrxWOebO2wVQ/rwMpmWDNI 
linux:/usr/local/sbin # 

linux:/usr/local/sbin # ./smbldap-passwd netwarrior and gave it a
password

When trying , for example ssh netwarrior at suse from a remote machine
using ssh I get:

NOTE This remote machine does not authenticate to the LDAP server or
whatever, PDC and so on, just try to make an ssh connection using a
known user. 

tail -f /var/log/messages
Oct 9 22:05:32 linux sshd[7005]: Invalid user netwarrior from
172.16.4.100


Oct 9 22:06:16 linux slapd[6910]: conn=10 op=2 SRCH
base="dc=example,dc=com" scope=2 deref=0 filter="(uid=netwarrior)" 
Oct 9 22:06:16 linux slapd[6910]: send_ldap_result: conn=10 op=2 p=3
Oct 9 22:06:16 linux slapd[6910]: send_ldap_result: err=10 matched=""
text=""
Oct 9 22:06:16 linux slapd[6910]: send_ldap_response: msgid=3 tag=101
err=32 
Oct 9 22:06:16 linux sshd[7010]: pam_ldap: ldap_search_s No such object
Oct 9 22:06:16 linux sshd[7008]: error: PAM: User not known to the
underlying authentication module for illegal user netwarrior from
freebsd 

Oct 9 22:06:16 linux slapd[6910]: conn=10 op=2 SEARCH RESULT tag=101
err=32 nentries=0 text=
Oct 9 22:06:16 linux slapd[6910]: daemon: activity on 1 descriptors
Oct 9 22:06:16 linux slapd[6910]: daemon: activity on: 
Oct 9 22:06:16 linux slapd[6910]: 12r
Oct 9 22:06:16 linux slapd[6910]:
Oct 9 22:06:16 linux slapd[6910]: daemon: read activity on 12
Oct 9 22:06:16 linux slapd[6910]: connection_get(12)
Oct 9 22:06:16 linux slapd[6910]: connection_get(12): got connid=10 
Oct 9 22:06:16 linux slapd[6910]: connection_read(12): checking for
input on id=10
Oct 9 22:06:16 linux slapd[6910]: ber_get_next on fd 12 failed errno=0
(Success)
Oct 9 22:06:16 linux slapd[6910]: connection_read(12): input error=-2
id=10, closing. 
Oct 9 22:06:16 linux sshd[7008]: Failed keyboard-interactive/pam for
invalid user netwarrior from 172.16.4.100 port 57885 ssh2


example??? -> the base dn is netwarrior, where did it take
"dc=example,dc=com", what I am missing 

ldap.conf in the server machine is like this

#BASE dc=netwarrior,dc=com
#URI ldap://127.0.0.1
#HOST 127.0.0.1

#TLS_CACERT /etc/ssl/server.crt
#TLS_REQCERT demand 


#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow

#nss_base_passwd ou=Users,dc=netwarrior,dc=com?one
#nss_base_shadow ou=Users,dc=netwarrior,dc=com?one
#nss_base_group ou=Groups,dc=netwarrior,dc=com?one 

BASE, URI, HOST and nss* uncommented make no difference.


slapd.conf reads like this:
TLSCipherSuite HIGH:MEDIUM:+SSLv3
#TLSCACertificateFile /etc/ssl/server.csr
TLSCertificateFile /etc/ssl/server.crt 
TLSCertificateKeyFile /etc/ssl/server.key
TLSVerifyClient try

In sshd_conf I've got.
UsePAM yes



Thanks in advance, sorry for the noise.