pam + ldap: pulling my hair out

Thu Jun 4 01:01:38 UTC 2009

rla at g.prideindustries.com wrote:
> My notes follow, maybe they'll help:
>
>      aptitude install libpam-ldap
>      aptitude install libnss-ldap
>
>      /etc/libnss-ldap.conf - edit
>
>      /etc/pam_ldap.conf - edit 
>
>      /etc/nsswitch.conf
>       passwd: files ldap
>       group:  files ldap
>       shadow: files ldap
>
>      /etc/pam.d/common-account
>       account sufficient  /lib/security/pam_localuser.so
>       account required    pam_ldap.so
>       account required    pam_unix.so
>
>      /etc/pam.d/common-auth
>       auth  sufficient  pam_ldap.so
>       auth  required    pam_unix.so use_first_pass nullok_secure
>
> Rick
>   

Thanks guys.  I've tried it all, no luck.  This is what's in my 
/var/log/auth.log:

Jun  3 17:46:34 selene sshd[12788]: pam_ldap: ldap_simple_bind Can't 
contact LDAP server
Jun  3 17:46:34 selene sshd[12788]: pam_ldap: reconnecting to LDAP server...
Jun  3 17:46:34 selene sshd[12788]: pam_ldap: ldap_simple_bind Can't 
contact LDAP server
Jun  3 17:46:34 selene sshd[12788]: pam_unix(sshd:auth): check pass; 
user unknown
Jun  3 17:46:34 selene sshd[12788]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=ariel-wireless.seiner.lan
Jun  3 17:46:36 selene sshd[12788]: Failed password for invalid user yan 
from 192.168.128.200 port 34225 ssh2

The user yan is disabled in /etc/passwd and was migrated to ldap.

selene:/etc# /usr/sbin/slapd -g ldap -u ldap -f /etc/ldap/slapd.conf -d 
1 -h "ldap:///0.0.0.0:389 ldaps:/// ldapi:///"
@(#) $OpenLDAP: slapd 2.4.11 (Oct 11 2008 10:18:55) $

vorlon at borges:/home/devel/openldap/build-area/openldap-2.4.11/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=selene, r=0
daemon_init: listen on ldap:///0.0.0.0:389
daemon_init: listen on ldaps:///
daemon_init: listen on ldapi:///
daemon_init: 3 listeners to open...
ldap_url_parse_ext(ldap:///0.0.0.0:389)
daemon: listener initialized ldap:///0.0.0.0:389
ldap_url_parse_ext(ldaps:///)
daemon: listener initialized ldaps:///
ldap_url_parse_ext(ldapi:///)
daemon: listener initialized ldapi:///
daemon_init: 5 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  
3, 2003)
.....
config_build_entry: "cn={2}nis"
config_build_entry: "cn={3}inetorgperson"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}hdb"
backend_startup_one: starting "dc=seiner,dc=lan"
hdb_db_open: database "dc=seiner,dc=lan": dbenv_open(/var/lib/ldap).
slapd starting

and nothing.....  I can telnet into that port, and ldap immediately logs it:

slap_listener_activate(8):
 >>> slap_listener(ldap:///192.168.128.6:389)

The only thing I can think of is that pam_ldap.conf is not being 
parsed.  strings on pam_ldap.so show that /etc/pam_ldap.conf is in fact 
hardcoded.  Here it is, stripped of comments:

selene:/etc# grep -v \# pam_ldap.conf | grep -v '^ *$'
host 192.168.128.6
base dc=seiner,dc=lan
ldap_version 3
rootbinddn cn=admin,dc=seiner,dc=lan
pam_password crypt

selene:/etc# cat nsswitch.conf
passwd:         ldap compat
group:          ldap compat
shadow:         ldap compat

selene:/etc# grep -v \# /etc/pam.d/common-account | grep -v '^ *$'
      account sufficient  /lib/security/pam_localuser.so
      account required    pam_ldap.so debug
      account required    pam_unix.so

selene:/etc# grep -v \# /etc/pam.d/common-auth | grep -v '^ *$'
auth  sufficient  pam_ldap.so debug
auth  required    pam_unix.so use_first_pass nullok_secure

Any ideas at all?

> On Wednesday 03 June 2009, Yan Seiner wrote:
>   
>> I've been trying to figure out how to get pam authentication working
>> with ldap.  From what I've read, it should "just work".  In my case, it
>> "just fails".
>>
>> No matter what I try, I get
>>
>> Jun  3 06:16:42 selene dovecot-auth: pam_ldap: reconnecting to LDAP
>> server...
>> Jun  3 06:16:42 selene dovecot-auth: pam_ldap: ldap_simple_bind Can't
>> contact LDAP server
>>
>> I get this with every service I try; not just imap.
>>
>> I've turned on debugging in ldap; pam is not connecting to the ldap
>> server at all.
>>
>> AFAICT, I have all of my pam modules set up correctly; at least I've
>> followed the debian pam + ldap wiki and it all seems to make sense,
>> except that pam never tries to actually connect to port 389.
>> /etc/pam_ldap.conf has all the correct uri for the ldap server.
>>
>> Is there some way to turn on debugging in pam?  Some way to see what
>> it's doing?  A way to examine the modules it's using?
>>
>> Thanks,
>>
>> --Yan
>>     
>
>
> !DSPAM:4a269fce59411804284693!
>
>   

-- 
Yan Seiner 

Support my bid for the 4J School Board.
Visit http://www.seiner.com/schoolboard