pam + ldap: pulling my hair out
Yan Seiner
yan at seiner.com
Thu Jun 4 01:01:38 UTC 2009
rla at g.prideindustries.com wrote:
> My notes follow, maybe they'll help:
>
> aptitude install libpam-ldap
> aptitude install libnss-ldap
>
> /etc/libnss-ldap.conf - edit
>
> /etc/pam_ldap.conf - edit
>
> /etc/nsswitch.conf
> passwd: files ldap
> group: files ldap
> shadow: files ldap
>
> /etc/pam.d/common-account
> account sufficient /lib/security/pam_localuser.so
> account required pam_ldap.so
> account required pam_unix.so
>
> /etc/pam.d/common-auth
> auth sufficient pam_ldap.so
> auth required pam_unix.so use_first_pass nullok_secure
>
> Rick
>
Thanks guys. I've tried it all, no luck. This is what's in my
/var/log/auth.log:
Jun 3 17:46:34 selene sshd[12788]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Jun 3 17:46:34 selene sshd[12788]: pam_ldap: reconnecting to LDAP server...
Jun 3 17:46:34 selene sshd[12788]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Jun 3 17:46:34 selene sshd[12788]: pam_unix(sshd:auth): check pass;
user unknown
Jun 3 17:46:34 selene sshd[12788]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=ariel-wireless.seiner.lan
Jun 3 17:46:36 selene sshd[12788]: Failed password for invalid user yan
from 192.168.128.200 port 34225 ssh2
The user yan is disabled in /etc/passwd and was migrated to ldap.
selene:/etc# /usr/sbin/slapd -g ldap -u ldap -f /etc/ldap/slapd.conf -d
1 -h "ldap:///0.0.0.0:389 ldaps:/// ldapi:///"
@(#) $OpenLDAP: slapd 2.4.11 (Oct 11 2008 10:18:55) $
vorlon at borges:/home/devel/openldap/build-area/openldap-2.4.11/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=selene, r=0
daemon_init: listen on ldap:///0.0.0.0:389
daemon_init: listen on ldaps:///
daemon_init: listen on ldapi:///
daemon_init: 3 listeners to open...
ldap_url_parse_ext(ldap:///0.0.0.0:389)
daemon: listener initialized ldap:///0.0.0.0:389
ldap_url_parse_ext(ldaps:///)
daemon: listener initialized ldaps:///
ldap_url_parse_ext(ldapi:///)
daemon: listener initialized ldapi:///
daemon_init: 5 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December
3, 2003)
.....
config_build_entry: "cn={2}nis"
config_build_entry: "cn={3}inetorgperson"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}hdb"
backend_startup_one: starting "dc=seiner,dc=lan"
hdb_db_open: database "dc=seiner,dc=lan": dbenv_open(/var/lib/ldap).
slapd starting
and nothing..... I can telnet into that port, and ldap immediately logs it:
slap_listener_activate(8):
>>> slap_listener(ldap:///192.168.128.6:389)
The only thing I can think of is that pam_ldap.conf is not being
parsed. strings on pam_ldap.so show that /etc/pam_ldap.conf is in fact
hardcoded. Here it is, stripped of comments:
selene:/etc# grep -v \# pam_ldap.conf | grep -v '^ *$'
host 192.168.128.6
base dc=seiner,dc=lan
ldap_version 3
rootbinddn cn=admin,dc=seiner,dc=lan
pam_password crypt
selene:/etc# cat nsswitch.conf
passwd: ldap compat
group: ldap compat
shadow: ldap compat
selene:/etc# grep -v \# /etc/pam.d/common-account | grep -v '^ *$'
account sufficient /lib/security/pam_localuser.so
account required pam_ldap.so debug
account required pam_unix.so
selene:/etc# grep -v \# /etc/pam.d/common-auth | grep -v '^ *$'
auth sufficient pam_ldap.so debug
auth required pam_unix.so use_first_pass nullok_secure
Any ideas at all?
> On Wednesday 03 June 2009, Yan Seiner wrote:
>
>> I've been trying to figure out how to get pam authentication working
>> with ldap. From what I've read, it should "just work". In my case, it
>> "just fails".
>>
>> No matter what I try, I get
>>
>> Jun 3 06:16:42 selene dovecot-auth: pam_ldap: reconnecting to LDAP
>> server...
>> Jun 3 06:16:42 selene dovecot-auth: pam_ldap: ldap_simple_bind Can't
>> contact LDAP server
>>
>> I get this with every service I try; not just imap.
>>
>> I've turned on debugging in ldap; pam is not connecting to the ldap
>> server at all.
>>
>> AFAICT, I have all of my pam modules set up correctly; at least I've
>> followed the debian pam + ldap wiki and it all seems to make sense,
>> except that pam never tries to actually connect to port 389.
>> /etc/pam_ldap.conf has all the correct uri for the ldap server.
>>
>> Is there some way to turn on debugging in pam? Some way to see what
>> it's doing? A way to examine the modules it's using?
>>
>> Thanks,
>>
>> --Yan
>>
>
>
> !DSPAM:4a269fce59411804284693!
>
>
--
Yan Seiner
Support my bid for the 4J School Board.
Visit http://www.seiner.com/schoolboard
More information about the Pam-list
mailing list