[gentoo-user] Ldap authentication issues.

[gentoo-user] Ldap authentication issues.

[Indexer]

I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log

May  4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1

I can succesfully search the ldap with this user binding to the ldap

 ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=chocolate,dc=lan> (default) with scope subtree
# filter: (uid=william)
# requesting: ALL
#

# william, Admin, chocolate.lan
dn: uid=william,ou=Admin,dc=chocolate,dc=lan
uid: william
cn: william
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/william
userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE=
gecos: William Brown,,,,
description: William Brown
shadowLastChange: 1
shadowMax: 0
shadowExpire: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Slapd when trying to authenticate shows this.

/usr/local/libexec/slapd -4 -d 256

slapd starting
conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="" method=128
conn=0 op=0 RESULT tag=97 err=0 text=
connection_input: conn=0 deferring operation: binding
conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=0 fd=10 closed (connection lost)
conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="" method=128
conn=1 op=0 RESULT tag=97 err=0 text=
connection_input: conn=1 deferring operation: binding
conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389)
conn=2 op=0 BIND dn="" method=128
conn=2 op=0 RESULT tag=97 err=0 text=
connection_input: conn=2 deferring operation: binding
conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=12 closed (connection lost)
conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389)
conn=3 op=0 BIND dn="" method=128
conn=3 op=0 RESULT tag=97 err=0 text=
connection_input: conn=3 deferring operation: binding
conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=3 fd=12 closed (connection lost)
conn=1 fd=10 closed (connection lost)


Here is my /etc/ldap.conf
base dc=chocolate,dc=lan
suffix dc=chocolate,dc=lan
uri ldap://ldap.srv.chocolate.lan
ldap_version 3
rootbinddn cn=Manager,dc=chocolate,dc=lan
scope one
timelimit 3
bind_timelimit 3
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_check_host_attr no
pam_member_attribute memberuid
pam_password exop
nss_reconnect_tries 4                   # number of times to double the sleep time
nss_reconnect_sleeptime 1               # initial sleep value
nss_reconnect_maxsleeptime 16   # max sleep value to cap at
nss_reconnect_maxconntries 2    # how many tries before sleeping
nss_base_passwd         ou=Admin,dc=chocolate,dc=lan?one
nss_base_passwd         ou=People,dc=chocolate,dc=lan?one
nss_base_shadow         ou=Admin,dc=chocolate,dc=lan?one
nss_base_shadow         ou=People,dc=chocolate,dc=lan?one
nss_base_group          ou=Nemo,ou=Group,dc=chocolate,dc=lan?one
nss_base_group          ou=Marvin,ou=Group,dc=chocolate,dc=lan?one
ssl off

Here is /etc/openldap/slapd.conf

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include          /usr/local/etc/openldap/schema/inetorgperson.schema
include          /usr/local/etc/openldap/schema/nis.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb
access to attrs=userPassword
        by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
        by anonymous auth
        by self write
        by * none
 access to *
        by self write
        by users read
database        bdb
suffix          "dc=chocolate,dc=lan"
rootdn          "cn=Manager,dc=chocolate,dc=lan"
rootpw          {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm
directory       /var/db/openldap-data
index   objectClass     eq 
index   uid     eq
password-hash {SSHA}

Here is the /etc/openldap/ldap.conf from both the client and server

BASE    dc=chocolate,dc=lan
URI     ldap://ldap.srv.chocolate.lan

Any help with this would be greatly appreciated

William

Re: [gentoo-user] Ldap authentication issues.

[Daniel Troeder]

[-- Attachment #1: Type: text/plain, Size: 8454 bytes --]

On 05/03/2010 09:41 AM, Indexer wrote:
> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
> 
> May  4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
> 
> I can succesfully search the ldap with this user binding to the ldap
> 
>  ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)'
> Enter LDAP Password: 
> # extended LDIF
> #
> # LDAPv3
> # base <dc=chocolate,dc=lan> (default) with scope subtree
> # filter: (uid=william)
> # requesting: ALL
> #
> 
> # william, Admin, chocolate.lan
> dn: uid=william,ou=Admin,dc=chocolate,dc=lan
> uid: william
> cn: william
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: top
> loginShell: /bin/bash
> uidNumber: 10000
> gidNumber: 10000
> homeDirectory: /home/william
> userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE=
> gecos: William Brown,,,,
> description: William Brown
> shadowLastChange: 1
> shadowMax: 0
> shadowExpire: 0
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> Slapd when trying to authenticate shows this.
> 
> /usr/local/libexec/slapd -4 -d 256
> 
> slapd starting
> conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389)
> conn=0 op=0 BIND dn="" method=128
> conn=0 op=0 RESULT tag=97 err=0 text=
> connection_input: conn=0 deferring operation: binding
> conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
> conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
> conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
> conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
> conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
> conn=0 fd=10 closed (connection lost)
> conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389)
> conn=1 op=0 BIND dn="" method=128
> conn=1 op=0 RESULT tag=97 err=0 text=
> connection_input: conn=1 deferring operation: binding
> conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
> conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
> <= bdb_equality_candidates: (uid) not indexed
> conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389)
> conn=2 op=0 BIND dn="" method=128
> conn=2 op=0 RESULT tag=97 err=0 text=
> connection_input: conn=2 deferring operation: binding
> conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
> conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
> <= bdb_equality_candidates: (uid) not indexed
> conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
> conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
> <= bdb_equality_candidates: (uid) not indexed
> conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=2 fd=12 closed (connection lost)
> conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389)
> conn=3 op=0 BIND dn="" method=128
> conn=3 op=0 RESULT tag=97 err=0 text=
> connection_input: conn=3 deferring operation: binding
> conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
> conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
> <= bdb_equality_candidates: (uid) not indexed
> conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
> conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
> <= bdb_equality_candidates: (uid) not indexed
> conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=3 fd=12 closed (connection lost)
> conn=1 fd=10 closed (connection lost)
> 
> 
> Here is my /etc/ldap.conf
> base dc=chocolate,dc=lan
> suffix dc=chocolate,dc=lan
> uri ldap://ldap.srv.chocolate.lan
> ldap_version 3
> rootbinddn cn=Manager,dc=chocolate,dc=lan
> scope one
> timelimit 3
> bind_timelimit 3
> bind_policy soft
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_check_host_attr no
> pam_member_attribute memberuid
> pam_password exop
> nss_reconnect_tries 4                   # number of times to double the sleep time
> nss_reconnect_sleeptime 1               # initial sleep value
> nss_reconnect_maxsleeptime 16   # max sleep value to cap at
> nss_reconnect_maxconntries 2    # how many tries before sleeping
> nss_base_passwd         ou=Admin,dc=chocolate,dc=lan?one
> nss_base_passwd         ou=People,dc=chocolate,dc=lan?one
> nss_base_shadow         ou=Admin,dc=chocolate,dc=lan?one
> nss_base_shadow         ou=People,dc=chocolate,dc=lan?one
> nss_base_group          ou=Nemo,ou=Group,dc=chocolate,dc=lan?one
> nss_base_group          ou=Marvin,ou=Group,dc=chocolate,dc=lan?one
> ssl off
> 
> Here is /etc/openldap/slapd.conf
> 
> include         /usr/local/etc/openldap/schema/core.schema
> include         /usr/local/etc/openldap/schema/cosine.schema
> include          /usr/local/etc/openldap/schema/inetorgperson.schema
> include          /usr/local/etc/openldap/schema/nis.schema
> pidfile         /var/run/openldap/slapd.pid
> argsfile        /var/run/openldap/slapd.args
> modulepath      /usr/local/libexec/openldap
> moduleload      back_bdb
> access to attrs=userPassword
>         by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
>         by anonymous auth
>         by self write
>         by * none
>  access to *
>         by self write
>         by users read
> database        bdb
> suffix          "dc=chocolate,dc=lan"
> rootdn          "cn=Manager,dc=chocolate,dc=lan"
> rootpw          {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm
> directory       /var/db/openldap-data
> index   objectClass     eq 
> index   uid     eq
> password-hash {SSHA}
> 
> Here is the /etc/openldap/ldap.conf from both the client and server
> 
> BASE    dc=chocolate,dc=lan
> URI     ldap://ldap.srv.chocolate.lan
> 
> Any help with this would be greatly appreciated
> 
> William
> 
> 
I haven't set this up on gentoo, only on debian-server with
ubuntu-clients...

Does NSS work already? Do you see the LDAP users/group after the
passwd-users when you run
$ getent passwd
$ getent group

Assuming you have configured /etc/nsswitch.conf:
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
("files ldap" is OK too.)

As long as that does not work, it doesn't make sense to continue to PAM.

Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see
if the password for cn=Manager,dc=chocolate,dc=lan in there does have
possibly problematic characters.

I need to use nscd on the clients.

BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for
User/Samba/DNS/DHCP/Mail management with LDAP. It's really good.

The most trickiest part of setting up LDAP-clients is always PAM :(
Fortunately for debian/ubuntu there are good guides. If you find out how
to do it with gentoo, that info would be appreciated (gentoo-wiki?).

Good luck,
Daniel

-- 
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] Ldap authentication issues.

[Ward Poelmans]

On Mon, May 3, 2010 at 09:41, Indexer <indexer@internode.on.net> wrote:
> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
>
> May  4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
>

What does you ssh file in /etc/pam.d look like?

Ward

Re: [gentoo-user] Ldap authentication issues.

[Indexer]

On 03/05/2010, at 9:16 PM, Daniel Troeder wrote:

> I haven't set this up on gentoo, only on debian-server with
> ubuntu-clients...
> 
> Does NSS work already? Do you see the LDAP users/group after the
> passwd-users when you run
> $ getent passwd
> $ getent group
> 

Both show the correct user and group as defined in the ldap attributes

passwd 
william:*:10000:10000:William Brown,,,,:/home/william:/bin/bash

and group
login:*:20000:william

> Assuming you have configured /etc/nsswitch.conf:
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap
> ("files ldap" is OK too.)
> 
> As long as that does not work, it doesn't make sense to continue to PAM.
> 
> Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see
> if the password for cn=Manager,dc=chocolate,dc=lan in there does have
> possibly problematic characters.

The password is in there, and it does bind successfully (I accidentally posted the wrong output from slapd, I have been documenting my success / failures to try and piece this together)

slapd starting
conn=0 fd=10 ACCEPT from IP=127.0.0.1:39936 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128
conn=0 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
connection_input: conn=0 deferring operation: binding
conn=0 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 fd=13 ACCEPT from IP=127.0.0.1:23394 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128
conn=1 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0
conn=1 op=0 RESULT tag=97 err=0 text=
connection_input: conn=1 deferring operation: binding
conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=1 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 fd=13 closed (connection lost)
conn=2 fd=13 ACCEPT from IP=127.0.0.1:38351 (IP=0.0.0.0:389)
conn=2 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128
conn=2 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0
conn=2 op=0 RESULT tag=97 err=0 text=
connection_input: conn=2 deferring operation: binding
conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

> 
> I need to use nscd on the clients.
> 
> BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for
> User/Samba/DNS/DHCP/Mail management with LDAP. It's really good.

Ill take a look at it, thank you for the hint.

> 
> The most trickiest part of setting up LDAP-clients is always PAM :(
> Fortunately for debian/ubuntu there are good guides. If you find out how
> to do it with gentoo, that info would be appreciated (gentoo-wiki?).

I agree, and i most likely will do a write up if i get it to work happily

> 
> Good luck,
> Daniel
> 
> -- 
> PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
> # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887
> 

William

Re: [gentoo-user] Ldap authentication issues.

[Indexer]

On 03/05/2010, at 9:41 PM, Ward Poelmans wrote:

> On Mon, May 3, 2010 at 09:41, Indexer <indexer@internode.on.net> wrote:
>> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
>> 
>> May  4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
>> 
> 
> What does you ssh file in /etc/pam.d look like?

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
#auth           sufficient      /usr/local/lib/pam_ldap.so no_warn use_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so
#account                required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

> 
> Ward
> 

I was under the impression that SSH was able to use pam from the system module? I will try this out now uncommenting the ldap settings.

Re: [gentoo-user] Ldap authentication issues.

[Daniel Troeder]

On 05/03/2010 02:37 PM, Indexer wrote:
> 
> On 03/05/2010, at 9:41 PM, Ward Poelmans wrote:
> 
>> On Mon, May 3, 2010 at 09:41, Indexer <indexer@internode.on.net> wrote:
>>> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
>>>
>>> May  4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
>>>
>>
>> What does you ssh file in /etc/pam.d look like?
> 
> # auth
> auth            sufficient      pam_opie.so             no_warn no_fake_prompts
> auth            requisite       pam_opieaccess.so       no_warn allow_local
> #auth           sufficient      pam_krb5.so             no_warn try_first_pass
> #auth           sufficient      pam_ssh.so              no_warn try_first_pass
> #auth           sufficient      /usr/local/lib/pam_ldap.so no_warn use_first_pass
> auth            required        pam_unix.so             no_warn try_first_pass
> 
> # account
> account         required        pam_nologin.so
> #account        required        pam_krb5.so
> account         required        pam_login_access.so
> account         required        pam_unix.so
> #account                required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user
> 
> # session
> #session        optional        pam_ssh.so
> session         required        pam_permit.so
> 
> # password
> #password       sufficient      pam_krb5.so             no_warn try_first_pass
> password        required        pam_unix.so             no_warn try_first_pass
> 
>>
>> Ward
>>
> 
> I was under the impression that SSH was able to use pam from the system module? I will try this out now uncommenting the ldap settings.
>
Can the user login from a console?
And what about "su - william" from a non-root account? (From a
root-account it should work without problems.)

Daniel

Re: [gentoo-user] Ldap authentication issues.

[Indexer]

I have solved this issue late last night. I took my inspiration from fedora, who has a really nice automatic tool for adding ldap servers, and i looked at their changes. The issue was that pam_unix was set as required, not sufficient / optional. I also found that in fedora they do includes in their pam, and my setup did not have it so you need to modify the correct module for the system, you are using. Find below my corrected pam config, and i will do a write up of this process.

I have also found that when the user logs in it takes a long tine for commands to execute, and in this time it sends alot of requests to the slapd server, using anonymous binds. Any idea how i make anonymous binds return attrs such as groupUid etc?

On 05/05/2010, at 7:00 AM, Daniel Troeder wrote:

>> 
>> # auth
>> auth            sufficient      pam_opie.so             no_warn no_fake_prompts
>> auth            requisite       pam_opieaccess.so       no_warn allow_local
>> #auth           sufficient      pam_krb5.so             no_warn try_first_pass
>> #auth           sufficient      pam_ssh.so              no_warn try_first_pass
>> auth           sufficient      /usr/local/lib/pam_ldap.so no_warn use_first_pass
>> auth           sufficient        pam_unix.so             no_warn try_first_pass
>> 
>> # account
>> account         required        pam_nologin.so
>> #account        required        pam_krb5.so
>> account         required        pam_login_access.so
>> account         sufficient        pam_unix.so
>> account                sufficient        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user
>> 
>> # session
>> #session        optional        pam_ssh.so
>> session         required        pam_permit.so
session optional /usr/local/lib/pam_ldap.so

>> 
>> # password
>> #password       sufficient      pam_krb5.so             no_warn try_first_pass
>> password        sufficient        pam_unix.so             no_warn try_first_pass
password		sufficient	/usr/lib/local/pam_ldap.so
> 

Re: [gentoo-user] Ldap authentication issues.

[Daniel Troeder]

[-- Attachment #1: Type: text/plain, Size: 2212 bytes --]

On 05/05/2010 02:02 AM, Indexer wrote:
> I have solved this issue late last night. I took my inspiration from
> fedora, who has a really nice automatic tool for adding ldap servers,
> and i looked at their changes. The issue was that pam_unix was set as
> required, not sufficient / optional. I also found that in fedora they
> do includes in their pam, and my setup did not have it so you need to
> modify the correct module for the system, you are using. Find below
> my corrected pam config, and i will do a write up of this process.
nice :)

> I have also found that when the user logs in it takes a long tine for
> commands to execute, and in this time it sends alot of requests to
> the slapd server, using anonymous binds. Any idea how i make
> anonymous binds return attrs such as groupUid etc?
You have to allow that using ACLs in slapd.conf.

In your first post they were:

access to attrs=userPassword
        by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
        by anonymous auth
        by self write
        by * none
 access to *
        by self write
        by users read

I think you should have at least this:

access to dn.base="" by * read

So that anonymous can at least get to the root of your LDAP tree. This
is important to some clients (especially SASL).

And then I'd also open up read access to anonymous for everything else,
or at least Users+Groups, as that is also the case with /etc/passwd.
There is really no point in being more secretive than file permissions
on /etc/passwd.


access to *
        by * read

or, more secure I think:

access to ou=Group,dc=chocolate,dc=lan
	by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write
	by * read

access to ou=Admin,dc=chocolate,dc=lan
	by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write
	by * read

access to ou=Users,dc=chocolate,dc=lan
	by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write
	by * read

I'm not 100% sure with the "by dn.subtree=..." though I think that
should work ($ man slapd.access).


Bye,
Daniel

-- 
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]