[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam + ldap: pulling my hair out



rla g prideindustries com wrote:
My notes follow, maybe they'll help:

     aptitude install libpam-ldap
     aptitude install libnss-ldap

     /etc/libnss-ldap.conf - edit

/etc/pam_ldap.conf - edit
     /etc/nsswitch.conf
      passwd: files ldap
      group:  files ldap
      shadow: files ldap

     /etc/pam.d/common-account
      account sufficient  /lib/security/pam_localuser.so
      account required    pam_ldap.so
      account required    pam_unix.so

     /etc/pam.d/common-auth
      auth  sufficient  pam_ldap.so
      auth  required    pam_unix.so use_first_pass nullok_secure

Rick

Thanks guys. I've tried it all, no luck. This is what's in my /var/log/auth.log:

Jun 3 17:46:34 selene sshd[12788]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jun  3 17:46:34 selene sshd[12788]: pam_ldap: reconnecting to LDAP server...
Jun 3 17:46:34 selene sshd[12788]: pam_ldap: ldap_simple_bind Can't contact LDAP server Jun 3 17:46:34 selene sshd[12788]: pam_unix(sshd:auth): check pass; user unknown Jun 3 17:46:34 selene sshd[12788]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ariel-wireless.seiner.lan Jun 3 17:46:36 selene sshd[12788]: Failed password for invalid user yan from 192.168.128.200 port 34225 ssh2

The user yan is disabled in /etc/passwd and was migrated to ldap.

selene:/etc# /usr/sbin/slapd -g ldap -u ldap -f /etc/ldap/slapd.conf -d 1 -h "ldap:///0.0.0.0:389 ldaps:/// ldapi:///"
@(#) $OpenLDAP: slapd 2.4.11 (Oct 11 2008 10:18:55) $
vorlon borges:/home/devel/openldap/build-area/openldap-2.4.11/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=selene, r=0
daemon_init: listen on ldap:///0.0.0.0:389
daemon_init: listen on ldaps:///
daemon_init: listen on ldapi:///
daemon_init: 3 listeners to open...
ldap_url_parse_ext(ldap:///0.0.0.0:389)
daemon: listener initialized ldap:///0.0.0.0:389
ldap_url_parse_ext(ldaps:///)
daemon: listener initialized ldaps:///
ldap_url_parse_ext(ldapi:///)
daemon: listener initialized ldapi:///
daemon_init: 5 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003)
.....
config_build_entry: "cn={2}nis"
config_build_entry: "cn={3}inetorgperson"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}hdb"
backend_startup_one: starting "dc=seiner,dc=lan"
hdb_db_open: database "dc=seiner,dc=lan": dbenv_open(/var/lib/ldap).
slapd starting

and nothing.....  I can telnet into that port, and ldap immediately logs it:

slap_listener_activate(8):
>>> slap_listener(ldap:///192.168.128.6:389)

The only thing I can think of is that pam_ldap.conf is not being parsed. strings on pam_ldap.so show that /etc/pam_ldap.conf is in fact hardcoded. Here it is, stripped of comments:

selene:/etc# grep -v \# pam_ldap.conf | grep -v '^ *$'
host 192.168.128.6
base dc=seiner,dc=lan
ldap_version 3
rootbinddn cn=admin,dc=seiner,dc=lan
pam_password crypt

selene:/etc# cat nsswitch.conf
passwd:         ldap compat
group:          ldap compat
shadow:         ldap compat

selene:/etc# grep -v \# /etc/pam.d/common-account | grep -v '^ *$'
     account sufficient  /lib/security/pam_localuser.so
     account required    pam_ldap.so debug
     account required    pam_unix.so

selene:/etc# grep -v \# /etc/pam.d/common-auth | grep -v '^ *$'
auth  sufficient  pam_ldap.so debug
auth  required    pam_unix.so use_first_pass nullok_secure

Any ideas at all?

On Wednesday 03 June 2009, Yan Seiner wrote:
I've been trying to figure out how to get pam authentication working
with ldap.  From what I've read, it should "just work".  In my case, it
"just fails".

No matter what I try, I get

Jun  3 06:16:42 selene dovecot-auth: pam_ldap: reconnecting to LDAP
server...
Jun  3 06:16:42 selene dovecot-auth: pam_ldap: ldap_simple_bind Can't
contact LDAP server

I get this with every service I try; not just imap.

I've turned on debugging in ldap; pam is not connecting to the ldap
server at all.

AFAICT, I have all of my pam modules set up correctly; at least I've
followed the debian pam + ldap wiki and it all seems to make sense,
except that pam never tries to actually connect to port 389.
/etc/pam_ldap.conf has all the correct uri for the ldap server.

Is there some way to turn on debugging in pam?  Some way to see what
it's doing?  A way to examine the modules it's using?

Thanks,

--Yan


!DSPAM:4a269fce59411804284693!



--
Yan Seiner
Support my bid for the 4J School Board.
Visit http://www.seiner.com/schoolboard



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]