pam + ldap: pulling my hair out

James Moore tophat at windstream.net
Fri Jun 5 03:00:11 UTC 2009


yan at seiner.com wrote:
> rla at g.prideindustries.com wrote:
> > My notes follow, maybe they'll help:
> >
> >      aptitude install libpam-ldap
> >      aptitude install libnss-ldap
> >
> >      /etc/libnss-ldap.conf - edit
> >
> >      /etc/pam_ldap.conf - edit 
> >
> >      /etc/nsswitch.conf
> >       passwd: files ldap
> >       group:  files ldap
> >       shadow: files ldap
> >
> >      /etc/pam.d/common-account
> >       account sufficient  /lib/security/pam_localuser.so
> >       account required    pam_ldap.so
> >       account required    pam_unix.so
> >
> >      /etc/pam.d/common-auth
> >       auth  sufficient  pam_ldap.so
> >       auth  required    pam_unix.so use_first_pass nullok_secure
> >
> > Rick
> >   
> 
> Thanks guys.  I've tried it all, no luck.  This is what's in my 
> /var/log/auth.log:
> 
> Jun  3 17:46:34 selene sshd[12788]: pam_ldap: ldap_simple_bind Can't 
> contact LDAP server
> Jun  3 17:46:34 selene sshd[12788]: pam_ldap: reconnecting to LDAP server...
> Jun  3 17:46:34 selene sshd[12788]: pam_ldap: ldap_simple_bind Can't 
> contact LDAP server
> Jun  3 17:46:34 selene sshd[12788]: pam_unix(sshd:auth): check pass; 
> user unknown
> Jun  3 17:46:34 selene sshd[12788]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=ariel-wireless.seiner.lan
> Jun  3 17:46:36 selene sshd[12788]: Failed password for invalid user yan 
> from 192.168.128.200 port 34225 ssh2
> 
> The user yan is disabled in /etc/passwd and was migrated to ldap.
> 
> selene:/etc# /usr/sbin/slapd -g ldap -u ldap -f /etc/ldap/slapd.conf -d 
> 1 -h "ldap:///0.0.0.0:389 ldaps:/// ldapi:///"
> @(#) $OpenLDAP: slapd 2.4.11 (Oct 11 2008 10:18:55) $
>     
> vorlon at borges:/home/devel/openldap/build-area/openldap-2.4.11/debian/build/servers/slapd
> ldap_pvt_gethostbyname_a: host=selene, r=0
> daemon_init: listen on ldap:///0.0.0.0:389
> daemon_init: listen on ldaps:///
> daemon_init: listen on ldapi:///
> daemon_init: 3 listeners to open...
> ldap_url_parse_ext(ldap:///0.0.0.0:389)
> daemon: listener initialized ldap:///0.0.0.0:389
> ldap_url_parse_ext(ldaps:///)
> daemon: listener initialized ldaps:///
> ldap_url_parse_ext(ldapi:///)
> daemon: listener initialized ldapi:///
> daemon_init: 5 listeners opened
> ldap_create
> slapd init: initiated server.
> slap_sasl_init: initialized!
> hdb_back_initialize: initialize HDB backend
> hdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  
> 3, 2003)
> .....
> config_build_entry: "cn={2}nis"
> config_build_entry: "cn={3}inetorgperson"
> config_build_entry: "olcDatabase={-1}frontend"
> config_build_entry: "olcDatabase={0}config"
> config_build_entry: "olcDatabase={1}hdb"
> backend_startup_one: starting "dc=seiner,dc=lan"
> hdb_db_open: database "dc=seiner,dc=lan": dbenv_open(/var/lib/ldap).
> slapd starting
> 
> and nothing.....  I can telnet into that port, and ldap immediately logs it:
> 
> slap_listener_activate(8):
>  >>> slap_listener(ldap:///192.168.128.6:389)
> 
> The only thing I can think of is that pam_ldap.conf is not being 
> parsed.  strings on pam_ldap.so show that /etc/pam_ldap.conf is in fact 
> hardcoded.  Here it is, stripped of comments:
> 
> selene:/etc# grep -v \# pam_ldap.conf | grep -v '^ *$'
> host 192.168.128.6
> base dc=seiner,dc=lan
> ldap_version 3
> rootbinddn cn=admin,dc=seiner,dc=lan
> pam_password crypt
> 
> selene:/etc# cat nsswitch.conf
> passwd:         ldap compat
> group:          ldap compat
> shadow:         ldap compat
> 
> selene:/etc# grep -v \# /etc/pam.d/common-account | grep -v '^ *$'
>       account sufficient  /lib/security/pam_localuser.so
>       account required    pam_ldap.so debug
>       account required    pam_unix.so
> 
> selene:/etc# grep -v \# /etc/pam.d/common-auth | grep -v '^ *$'
> auth  sufficient  pam_ldap.so debug
> auth  required    pam_unix.so use_first_pass nullok_secure
> 
> Any ideas at all?
> 
Yan,

Have you tried using OpenLDAP's ldapsearch to run a query manually from
the LDAP client system?

Like this:
ldapsearch -x -W -D cn=admin,dc=seiner,dc=lan -b dc=seiner,dc=lan -d 3
-H ldap://192.168.128.6 "(cn=yan)"

I'm assuming a lot about your configs; if the commandline switches given
here match your nss_ldap configuration the debug output might help
isolate the problem.  

If this doesn't help, you can always run tcpdump on the LDAP client or
server to capture the traffic passing between them and use wireshark to
analyze it.  Had to do this when troubleshooting Linux<->Active
Directory LDAP interoperability problems.  Saved me a lot of time.

Jim Moore




More information about the Pam-list mailing list