Problem with pam_ldap

Nuno Manuel Martins nuno.mmartins_externo at sonae.com
Wed Apr 9 08:35:30 UTC 2008


Hi,

Thanks for the reply, but indeed nss was already setup with the following entries:
        passwd:     files ldap
        shadow:     files ldap
        group:      files ldap

getent command works and UIDs/GIDs in file permissions look correct:
[root at rh01 bin]# getent passwd | grep myuser
myuser:x:10002:10001:myUser (LDAP):/home/ldap/john:/bin/bash


[root at rh01 bin]# ls -lsa /home/ldap/john/
4 drwxr-x--- 2 myuser iam  4096 2008-02-15 17:17 .

-----Original Message-----
From: Robert Wolf [mailto:r.wolf.gentoo at atlas.cz]
Sent: quarta-feira, 9 de Abril de 2008 8:44
To: Nuno Manuel Martins
Subject: Re: Problem with pam_ldap


Hi,

it looks like you have not configured NSS (nss-ldap) to use LDAP server for
list of users. Does the command getent passwd myuser find the user "myuser"? If
not, then the system does not know anything about this user and does not want
to authenticate it.

You have to setup both nss-ldap (for system to be able to see LDAP users) and
pam-ldap (for PAM to authenticate using LDAP).


Regards,


Wolf.



On Tue, 8 Apr 2008, Nuno Manuel Martins wrote:

>
> Hello,
>
> I am currently using OpenLDAP for authentication and seems I'm having some troubles explaining PAM what it should be doing. I get this error when trying to login with an ldap user trough ssh:
>
> Apr  8 16:38:16 rh01 sshd[11045]: debug1: userauth-request for user myuser service ssh-connection method password
> Apr  8 16:38:16 rh01 sshd[11045]: debug1: attempt 1 failures 1
> Apr  8 16:38:17 rh01 sshd[11044]: pam_unix(sshd:auth): check pass; user unknown
> Apr  8 16:38:17 rh01 sshd[11044]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rh01.localdomain
> Apr  8 16:38:17 rh01 sshd[11044]: pam_succeed_if(sshd:auth): error retrieving information about user myuser
> Apr  8 16:38:19 rh01 sshd[11044]: debug1: PAM: password authentication failed for an illegal user: User not known to the underlying authentication module
> Apr  8 16:38:19 rh01 sshd[11044]: Failed password for invalid user myuser from 127.0.0.1 port 42064 ssh2
>
> So it seems he just doesn't recognize the user (stored in LDAP directory). I had this working before but then I made some changes to try to make the pam files more readable and now they never got back to working ... :)
>
> Here is my system-auth file in /etc/pam.d
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    /lib/security/pam_ldap.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
> password    sufficient    /lib/security/pam_ldap.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session     required      pam_unix.so
> session     optional      /lib/security/pam_ldap.so
>
> And here is sshd file in the same directory
> #%PAM-1.0
> auth       sufficient      /lib/security/pam_ldap.so
> auth       include      system-auth
> account    sufficient      /lib/security/pam_ldap.so
> account    required     pam_nologin.so
> account    include      system-auth
> password   required        /lib/security/pam_ldap.so
> password   include      system-auth
>
> session    sufficient      /lib/security/pam_ldap.so
>
> password    sufficient    pam_unix.so ssha shadow nullok try_first_pass use_authtok
>
>
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> session    required     pam_loginuid.so
>
> As part of the "file clean-up" I was only using the "include" directives but since it stopped working I reverted back to explicitly telling what module to use... still doesn't work though. Can anyone see why SSH doesn't even try to authenticate against the OpenLDAP directory?
>
> Thank you,
> Nuno
>
>
>




More information about the Pam-list mailing list