Problem with pam_ldap
Nuno Manuel Martins
nuno.mmartins_externo at sonae.com
Wed Apr 9 08:35:30 UTC 2008
Hi,
Thanks for the reply, but indeed nss was already setup with the following entries:
passwd: files ldap
shadow: files ldap
group: files ldap
getent command works and UIDs/GIDs in file permissions look correct:
[root at rh01 bin]# getent passwd | grep myuser
myuser:x:10002:10001:myUser (LDAP):/home/ldap/john:/bin/bash
[root at rh01 bin]# ls -lsa /home/ldap/john/
4 drwxr-x--- 2 myuser iam 4096 2008-02-15 17:17 .
-----Original Message-----
From: Robert Wolf [mailto:r.wolf.gentoo at atlas.cz]
Sent: quarta-feira, 9 de Abril de 2008 8:44
To: Nuno Manuel Martins
Subject: Re: Problem with pam_ldap
Hi,
it looks like you have not configured NSS (nss-ldap) to use LDAP server for
list of users. Does the command getent passwd myuser find the user "myuser"? If
not, then the system does not know anything about this user and does not want
to authenticate it.
You have to setup both nss-ldap (for system to be able to see LDAP users) and
pam-ldap (for PAM to authenticate using LDAP).
Regards,
Wolf.
On Tue, 8 Apr 2008, Nuno Manuel Martins wrote:
>
> Hello,
>
> I am currently using OpenLDAP for authentication and seems I'm having some troubles explaining PAM what it should be doing. I get this error when trying to login with an ldap user trough ssh:
>
> Apr 8 16:38:16 rh01 sshd[11045]: debug1: userauth-request for user myuser service ssh-connection method password
> Apr 8 16:38:16 rh01 sshd[11045]: debug1: attempt 1 failures 1
> Apr 8 16:38:17 rh01 sshd[11044]: pam_unix(sshd:auth): check pass; user unknown
> Apr 8 16:38:17 rh01 sshd[11044]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rh01.localdomain
> Apr 8 16:38:17 rh01 sshd[11044]: pam_succeed_if(sshd:auth): error retrieving information about user myuser
> Apr 8 16:38:19 rh01 sshd[11044]: debug1: PAM: password authentication failed for an illegal user: User not known to the underlying authentication module
> Apr 8 16:38:19 rh01 sshd[11044]: Failed password for invalid user myuser from 127.0.0.1 port 42064 ssh2
>
> So it seems he just doesn't recognize the user (stored in LDAP directory). I had this working before but then I made some changes to try to make the pam files more readable and now they never got back to working ... :)
>
> Here is my system-auth file in /etc/pam.d
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient /lib/security/pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
> password sufficient /lib/security/pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session required pam_unix.so
> session optional /lib/security/pam_ldap.so
>
> And here is sshd file in the same directory
> #%PAM-1.0
> auth sufficient /lib/security/pam_ldap.so
> auth include system-auth
> account sufficient /lib/security/pam_ldap.so
> account required pam_nologin.so
> account include system-auth
> password required /lib/security/pam_ldap.so
> password include system-auth
>
> session sufficient /lib/security/pam_ldap.so
>
> password sufficient pam_unix.so ssha shadow nullok try_first_pass use_authtok
>
>
> session optional pam_keyinit.so force revoke
> session include system-auth
> session required pam_loginuid.so
>
> As part of the "file clean-up" I was only using the "include" directives but since it stopped working I reverted back to explicitly telling what module to use... still doesn't work though. Can anyone see why SSH doesn't even try to authenticate against the OpenLDAP directory?
>
> Thank you,
> Nuno
>
>
>
More information about the Pam-list
mailing list