Sid libpam-ldap, pam.d files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey all,

I'm working on trying to get local and remote logins via ldap on a
Debian sid box. For the most part I've been following the DebianWiki
examples at http://wiki.debian.net/index.cgi?LDAPAuthentication.

/etc/libnss-ldap is working both with and without nscd running; a file
created with the ownership of an ldap only user displays the uid and
group labels correctly instead of the user/group numbers. This tells me
that that libnss-ldap.conf is configured correctly, and the ldap
directory is displaying anonymous searches correctly. getent displays
the file and ldap info for passwd, and group.

I'm having problems getting libpam-ldap working. I can't seem to get pam
to authenticate the login. The docs on pam_ldap.conf claim libnss-ldap
compatibility, so these files are exactly the same. I have the correct
passwd in /etc/ldap.secret.

The problem appears (I think) to be with the pam.d files. Sid uses
included  common-* files for passwd, session, auth and account.

libpam-ldap seems to be querying the directory correctly, based on this
snippit from the slapd logs regarding ACL's and a failed login attempt.

May 16 13:09:57 stork slapd[908]: => acl_mask: access to entry
"cn=admin,dc=pwgroup,dc=ca", attr "userPassword" requested
May 16 13:09:57 stork slapd[908]: => acl_mask: to all values by "", (=n)
May 16 13:09:57 stork slapd[908]: <= check a_dn_pat:
cn=admin,dc=pwgroup,dc=ca
May 16 13:09:57 stork slapd[908]: <= check a_dn_pat: self
May 16 13:09:57 stork slapd[908]: <= check a_dn_pat: *
May 16 13:09:57 stork slapd[908]: <= acl_mask: [3] applying auth(=x)
(stop)
May 16 13:09:57 stork slapd[908]: <= acl_mask: [3] mask: auth(=x)
May 16 13:09:57 stork slapd[908]: => access_allowed: auth access granted
by auth(=x)

The appropriate slapd.conf acl is:
access to attribute=userPassword
        by dn="cn=admin,dc=pwgroup,dc=ca" write
        by self write
        by * auth


The auth log lists the failure as:
May 16 13:09:57 stork sshd[2747]: Illegal user riva from 192.168.95.4
May 16 13:09:59 stork sshd[2747]: Failed unknown for illegal user riva
from 192.168.95.4 port 38281 ssh2

A $>ps axfw lists this after the attempted login:

2791 ?        Ss     0:00  \_ sshd: unknown [priv]
2792 ?        Z      0:00  |   \_ [sshd] <defunct>
2794 ?        S      0:00  |   \_ sshd: riva [pam]


An anonymous ldapsearch of "uid=riva,ou=People,dc=pwgroup,dc=ca" works,
without displaying the protected fields and an authenticated search as
both "riva" and "admin" shows the complete record.

Regarding pam, all I've edited is the /etc/pam.d/common-* files:

common-account:
account sufficient      pam_ldap.so debug
account required        pam_unix.so debug

common-auth:
auth sufficient pam_ldap.so debug
auth required pam_unix.so nullok_secure debug try_first_pass debug

common-passwd:
password sufficient pam_ldap.so ignore_unknown_user md5 debug
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass debug

/etc/pam.d/ssh includes all of these in it's configuration.

To fill the directory I use the tools from padl.com in the samba src.
I've configured smbldap_conf.pm with the MD5 hashtype.

I'm at a loss to understand why pam isn't recognizing the username in
ldap as a legal user. Does anyone have any ideas regard this?

Cheers,
lance

-- 
Lance Levsen,
Public Key at:
gpg --keyserver wwwkeys.pgp.net --recv-keys 0xF2DA79C8
_______________________________________________
LinuxManagers mailing list - http://www.linuxmanagers.org
submissions: LinuxManagers@linuxmanagers.org
subscribe/unsubscribe: http://www.linuxmanagers.org/mailman/listinfo/linuxmanagers

[Index of Archives]     [Kernel]     [Linux SCSI]     [Video 4 Linux]     [Linux Admin]     [Yosemite News]

  Powered by Linux