* [gentoo-user] ldap client authentication
@ 2010-11-03 16:25 James
2010-11-03 19:13 ` Stroller
0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-03 16:25 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 4882 bytes --]
Folks,
I'm attempting to set up LDAP authentication against my OpenDS server on a
Gentoo box. I've been struggling with this for several days now with no
progress.
Here's the rundown of how things are configured (fairly straight forward):
- OpenDS server has the following entry (gathered directly from ldapsearch
output), below. Note that clearly the LDAP server is properly configured if
it's responding to an ldapsearch on the client with no problems.
ldap ~ # ldapsearch -H ldap://auth.whatever.com "objectclass=posixAccount"
dn: cn=tb,ou=it,dc=whatever,dc=com
uid: tb
initials: tb
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
givenName: Thomas
cn: tb
sn: Bellview
telephoneNumber: 333.555.3333
homeDirectory: /home/tb
uidNumber: 10001
mail: tb@whatever.com
gidNumber: 10001
- /etc/ldap.conf
base ou=it,dc=whatever,dc=com
uri ldaps://auth.whatever.com
ldap_version 3
tls_reqcert allow
pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
nss_base_passwd ou=it,dc=whatever,dc=com
nss_base_shadow ou=it,dc=whatever,dc=com
nss_initgroups_ignoreusers
avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,www-data
timelimit 5
bind_timelimit 5
- Likewise, /etc/openldap/ldap.conf
BASE ou=it,dc=whatever,dc=com
URI ldaps://auth.whatever.com
TLS_REQCERT allow
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
Simple problem: authentication fails. On the CLIENT I see the following in
the log files:
==> auth.log <==
Nov 3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM:
Authentication failure for tb from blah.whatever.com
On the SERVER I see the following:
[03/Nov/2010:06:27:05 -0400] CONNECT conn=314 from=10.1.1.166:44879 to=
10.1.1.115:389 protocol=LDAP
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=314 op=0 msgID=1 type=SIMPLE
dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=314 op=0 msgID=1 result=0
authDN="" etime=0
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=1 msgID=2
base="ou=it,dc=whatever,dc=com" scope=wholeSubtree
filter="(&(objectClass=posixAccount)(uid=tb))"
attrs="uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=1 msgID=2 result=0
nentries=1 etime=1
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=2 msgID=3
base="ou=it,dc=whatever,dc=com" scope=wholeSubtree
filter="(&(objectClass=posixAccount)(uid=tb))"
attrs="uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=2 msgID=3 result=0
nentries=1 etime=1
[03/Nov/2010:06:27:05 -0400] CONNECT conn=315 from=10.1.1.166:44879 to=
10.1.1.115:389 protocol=LDAP
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=0 msgID=1 type=SIMPLE
dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=0 msgID=1 result=0
authDN="" etime=0
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=315 op=1 msgID=2
base="ou=it,dc=whatever,dc=com" scope=wholeSubtree
filter="(&(objectclass=posixAccount)(uid=tb))" attrs="ALL"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=315 op=1 msgID=2 result=0
nentries=1 etime=0
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=2 msgID=3 type=SIMPLE
dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=2 msgID=3 result=0
authDN="" etime=0
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=315 reason="Client Disconnect"
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=314 reason="Client Disconnect"
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=309 reason="Client Disconnect"
Looks fine, right? Well not really. If I run an ldapsearch *exactly* as it
appears in the SERVER's log, it returns the user.
ldap ~ # ldapsearch -H ldap://auth.whatever.com -b
"ou=it,dc=whatever,dc=com" "(&(objectclass=posixAccount)(uid=tb))"
# extended LDIF
#
# LDAPv3
# base <ou=it,dc=whatever,dc=com> with scope subtree
# filter: (&(objectclass=posixAccount)(uid=tb))
# requesting: ALL
#
# tb, it, whatever.com
dn: cn=tb,ou=it,dc=whatever,dc=com
uid: tb
initials: tb
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
givenName: Thomas
cn: tb
sn: Bellview
telephoneNumber: 333.555.3333
homeDirectory: /home/tb
uidNumber: 10001
mail: tb@whatever.com
gidNumber: 10001
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This has me pulling my hairs out. Clearly the manual ldapsearch works. The
only thing I can think of is the "scope=wholeSubtree" or the "attrs=ALL"
breaking the query; clearly the applied filters work without any issues.
Thoughts / ideas would be greatly appreciated.
-james
[-- Attachment #2: Type: text/html, Size: 6114 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-03 16:25 [gentoo-user] ldap client authentication James
@ 2010-11-03 19:13 ` Stroller
2010-11-03 19:26 ` James
0 siblings, 1 reply; 13+ messages in thread
From: Stroller @ 2010-11-03 19:13 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 603 bytes --]
On 3/11/2010, at 4:25pm, James wrote:
> ...
> I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress.
>
> Here's the rundown of how things are configured (fairly straight forward):
> ...
> ==> auth.log <==
> Nov 3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com
You've shown us all about your LDAP configuration, but nothing about your PAM configuration, or whether sshd or IMAP are configured to use PAM.
Stroller.
[-- Attachment #2: Type: text/html, Size: 1031 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-03 19:13 ` Stroller
@ 2010-11-03 19:26 ` James
2010-11-04 15:51 ` James
0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-03 19:26 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 976 bytes --]
Straight from the Gentoo + LDAP page.
# pam ldap stuff
auth sufficient pam_ldap.so use_first_pass
account sufficient pam_ldap.so
password sufficient pam_ldap.so use_authtok use_first_pass
session optional pam_ldap.so
-james
On Wed, Nov 3, 2010 at 15:13, Stroller <stroller@stellar.eclipse.co.uk>wrote:
>
> On 3/11/2010, at 4:25pm, James wrote:
>
> ...
> I'm attempting to set up LDAP authentication against my OpenDS server on a
> Gentoo box. I've been struggling with this for several days now with no
> progress.
>
> Here's the rundown of how things are configured (fairly straight forward):
> ...
>
> ==> auth.log <==
> Nov 3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM:
> Authentication failure for tb from blah.whatever.com
>
>
> You've shown us all about your LDAP configuration, but nothing about your
> PAM configuration, or whether sshd or IMAP are configured to use PAM.
>
> Stroller.
>
>
[-- Attachment #2: Type: text/html, Size: 1707 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-03 19:26 ` James
@ 2010-11-04 15:51 ` James
2010-11-04 21:58 ` Adam Carter
0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-04 15:51 UTC (permalink / raw
To: gentoo-user
Bump -- any ideas?
In a tough spot right now trying to wrap this LDAP project up and I'm stuck. :(
-james
On Wed, Nov 3, 2010 at 15:26, James <jtp@nc.rr.com> wrote:
> Straight from the Gentoo + LDAP page.
>
> # pam ldap stuff
> auth sufficient pam_ldap.so use_first_pass
> account sufficient pam_ldap.so
> password sufficient pam_ldap.so use_authtok use_first_pass
> session optional pam_ldap.so
>
> -james
>
> On Wed, Nov 3, 2010 at 15:13, Stroller <stroller@stellar.eclipse.co.uk>
> wrote:
>>
>> On 3/11/2010, at 4:25pm, James wrote:
>>
>> ...
>> I'm attempting to set up LDAP authentication against my OpenDS server on a
>> Gentoo box. I've been struggling with this for several days now with no
>> progress.
>>
>> Here's the rundown of how things are configured (fairly straight forward):
>> ...
>>
>> ==> auth.log <==
>> Nov 3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM:
>> Authentication failure for tb from blah.whatever.com
>>
>> You've shown us all about your LDAP configuration, but nothing about your
>> PAM configuration, or whether sshd or IMAP are configured to use PAM.
>> Stroller.
>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-04 15:51 ` James
@ 2010-11-04 21:58 ` Adam Carter
2010-11-04 23:48 ` James
0 siblings, 1 reply; 13+ messages in thread
From: Adam Carter @ 2010-11-04 21:58 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 417 bytes --]
On Fri, Nov 5, 2010 at 2:51 AM, James <jtp@nc.rr.com> wrote:
> Bump -- any ideas?
>
> In a tough spot right now trying to wrap this LDAP project up and I'm
> stuck. :(
>
> -james
>
>
You seem to be using ldap sometimes and ldaps other times in your configs.
Suggest you try getting everything working with ldap first, then convert
everything to ldaps (to get SSL working) once you have the application layer
sorted.
[-- Attachment #2: Type: text/html, Size: 694 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-04 21:58 ` Adam Carter
@ 2010-11-04 23:48 ` James
2010-11-05 4:44 ` James
0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-04 23:48 UTC (permalink / raw
To: gentoo-user
LDAP and LDAPS work fine -- as I indicated, the ldapsearch queries
work without any issues. Thus the issue is, more or less, related
directly to PAM and LDAP together.
At some point during troubleshooting I switched to LDAP simply so that
I could sniff the packets going across the wire and see what was going
on.
This is purely a pam_ldap configuration problem as far as I can tell.
Any thoughts on how to go about troubleshooting this would be greatly
appreciated.
-james
On Thu, Nov 4, 2010 at 17:58, Adam Carter <adamcarter3@gmail.com> wrote:
> You seem to be using ldap sometimes and ldaps other times in your configs.
> Suggest you try getting everything working with ldap first, then convert
> everything to ldaps (to get SSL working) once you have the application layer
> sorted.
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-04 23:48 ` James
@ 2010-11-05 4:44 ` James
2010-11-05 10:22 ` Ward Poelmans
0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-05 4:44 UTC (permalink / raw
To: gentoo-user
Things just got more interesting.
I just copied my /etc/ldap.conf file over from my Gentoo box to an
Ubuntu box -- it works without a single hitch.
I'm about to rip my hair out here...any ideas on where I can start
troubleshooting this?
- openssh versions are very similar
- newer nss_ldap on gentoo
- newer pam_ldap on gentoo
Thoughts would be greatly appreciated.
-james
On Thu, Nov 4, 2010 at 23:48, James <jtp@nc.rr.com> wrote:
> LDAP and LDAPS work fine -- as I indicated, the ldapsearch queries
> work without any issues. Thus the issue is, more or less, related
> directly to PAM and LDAP together.
>
> At some point during troubleshooting I switched to LDAP simply so that
> I could sniff the packets going across the wire and see what was going
> on.
>
> This is purely a pam_ldap configuration problem as far as I can tell.
>
> Any thoughts on how to go about troubleshooting this would be greatly
> appreciated.
>
> -james
>
> On Thu, Nov 4, 2010 at 17:58, Adam Carter <adamcarter3@gmail.com> wrote:
>> You seem to be using ldap sometimes and ldaps other times in your configs.
>> Suggest you try getting everything working with ldap first, then convert
>> everything to ldaps (to get SSL working) once you have the application layer
>> sorted.
>>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-05 4:44 ` James
@ 2010-11-05 10:22 ` Ward Poelmans
2010-11-05 16:41 ` James
0 siblings, 1 reply; 13+ messages in thread
From: Ward Poelmans @ 2010-11-05 10:22 UTC (permalink / raw
To: gentoo-user
On Fri, Nov 5, 2010 at 05:44, James <jtp@nc.rr.com> wrote:
> Things just got more interesting.
>
> I just copied my /etc/ldap.conf file over from my Gentoo box to an
> Ubuntu box -- it works without a single hitch.
>
> I'm about to rip my hair out here...any ideas on where I can start
> troubleshooting this?
Put logging of PAM to the max and start looking in your pam logs. Your
ldap seems fine.
Ward
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-05 10:22 ` Ward Poelmans
@ 2010-11-05 16:41 ` James
2010-11-05 16:49 ` Ward Poelmans
0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-05 16:41 UTC (permalink / raw
To: gentoo-user
It seems that the LDAP is failing to work, as well, in CentOS 5 --
same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu.
What's the best way to star troubleshooting this from a PAM perspective?
I have a debug line set at the bottom of the ldap.conf file, but that
doesn't seem to be giving me enough information. Also, I've set
'debug' at the end of every line in my /etc/pam.d/system-auth file, to
no avail. Nothing is showing up in /var/log/debug -- PAM indicates
that the 'debug' keyword sends messages to syslog for processing.
Thoughts / ideas would be greatly appreciated.
Thanks!
-james
On Fri, Nov 5, 2010 at 06:22, Ward Poelmans <wpoely86@gmail.com> wrote:
> On Fri, Nov 5, 2010 at 05:44, James <jtp@nc.rr.com> wrote:
>> Things just got more interesting.
>>
>> I just copied my /etc/ldap.conf file over from my Gentoo box to an
>> Ubuntu box -- it works without a single hitch.
>>
>> I'm about to rip my hair out here...any ideas on where I can start
>> troubleshooting this?
>
> Put logging of PAM to the max and start looking in your pam logs. Your
> ldap seems fine.
>
> Ward
>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-05 16:41 ` James
@ 2010-11-05 16:49 ` Ward Poelmans
2010-11-05 19:46 ` James
0 siblings, 1 reply; 13+ messages in thread
From: Ward Poelmans @ 2010-11-05 16:49 UTC (permalink / raw
To: gentoo-user
On Fri, Nov 5, 2010 at 17:41, James <jtp@nc.rr.com> wrote:
> It seems that the LDAP is failing to work, as well, in CentOS 5 --
> same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu.
>
> What's the best way to star troubleshooting this from a PAM perspective?
>
> I have a debug line set at the bottom of the ldap.conf file, but that
> doesn't seem to be giving me enough information. Also, I've set
> 'debug' at the end of every line in my /etc/pam.d/system-auth file, to
> no avail. Nothing is showing up in /var/log/debug -- PAM indicates
> that the 'debug' keyword sends messages to syslog for processing.
adding the debug keyword to the pam module doesn't do anything but in ldap.conf:
logdir <directory>
Specifies the directory used for logging by the LDAP client
library. This feature is not supported by all client libraries.
debug <level>
Specifies the debug level used for logging by the LDAP client
library. This feature is not supported by all client libraries, and
does not apply to the nss_ldap and pam_ldap modules themselves
(debugging, if any, is configured separately and usually at compile
time).
Ward
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-05 16:49 ` Ward Poelmans
@ 2010-11-05 19:46 ` James
2010-11-05 20:06 ` Ward Poelmans
0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-05 19:46 UTC (permalink / raw
To: gentoo-user
Yes, I have both of these options enabled:
logdir <somedir>
debug 256
The logdir is filled with empty files that, in the name of the file,
has the pid of the pam process. However, these files are empty and
they do not have anything in them.
Thoughts?
-james
On Fri, Nov 5, 2010 at 12:49, Ward Poelmans <wpoely86@gmail.com> wrote:
> On Fri, Nov 5, 2010 at 17:41, James <jtp@nc.rr.com> wrote:
>> It seems that the LDAP is failing to work, as well, in CentOS 5 --
>> same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu.
>>
>> What's the best way to star troubleshooting this from a PAM perspective?
>>
>> I have a debug line set at the bottom of the ldap.conf file, but that
>> doesn't seem to be giving me enough information. Also, I've set
>> 'debug' at the end of every line in my /etc/pam.d/system-auth file, to
>> no avail. Nothing is showing up in /var/log/debug -- PAM indicates
>> that the 'debug' keyword sends messages to syslog for processing.
>
> adding the debug keyword to the pam module doesn't do anything but in ldap.conf:
> logdir <directory>
> Specifies the directory used for logging by the LDAP client
> library. This feature is not supported by all client libraries.
> debug <level>
> Specifies the debug level used for logging by the LDAP client
> library. This feature is not supported by all client libraries, and
> does not apply to the nss_ldap and pam_ldap modules themselves
> (debugging, if any, is configured separately and usually at compile
> time).
>
> Ward
>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-05 19:46 ` James
@ 2010-11-05 20:06 ` Ward Poelmans
2010-11-07 21:59 ` James
0 siblings, 1 reply; 13+ messages in thread
From: Ward Poelmans @ 2010-11-05 20:06 UTC (permalink / raw
To: gentoo-user
On Fri, Nov 5, 2010 at 20:46, James <jtp@nc.rr.com> wrote:
> The logdir is filled with empty files that, in the name of the file,
> has the pid of the pam process. However, these files are empty and
> they do not have anything in them.
>
> Thoughts?
Try putting the compile time debugging options on?
Ward
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] ldap client authentication
2010-11-05 20:06 ` Ward Poelmans
@ 2010-11-07 21:59 ` James
0 siblings, 0 replies; 13+ messages in thread
From: James @ 2010-11-07 21:59 UTC (permalink / raw
To: gentoo-user
I've enabled compile-time debug flags, to no avail.
I did some troubleshooting for several hours last night and discovered
something interesting -- the LDAP server is responding with a SUCCESS
message to the bind request, but PAM (for whatever reason) is still
denying my login request.
Here's the output of a sniffer capture between the client and the LDAP server:
bindResponse
resultCode: success (0)
The /var/log/auth.log file indicates the following:
==> auth.log <==
Nov 3 06:24:00 s_dgram@auth.whatever.com sshd[11393]: error: PAM:
Authentication failure for illegal user tb from 10.9.3.153
Nov 3 06:24:00 s_dgram@auth.whatever.com sshd[11393]: Failed
keyboard-interactive/pam for invalid user tb from 10.9.3.153 port
56665 ssh2
Nov 3 06:24:00 s_dgram@auth.whatever.com sshd[11396]:
pam_tally2(sshd:auth): pam_get_uid; no such user
My /etc/pam.d/system-auth file is pretty much verbatim what is listed here:
http://www.gentoo.org/doc/en/ldap-howto.xml
Also, my /etc/nsswitch.conf file has "files" and "ldap" in the
appropriate places.
passwd: files ldap
shadow: files ldap
group: files ldap
Thoughts would be greatly appreciated -- I'm almost there! I just need
to figure out why PAM isn't playing nice with LDAP authentication.
-james
I'm so close I can taste it. :) Any thoughts or ideas on how to fix
this would be greatly appreciated.
On Fri, Nov 5, 2010 at 20:06, Ward Poelmans <wpoely86@gmail.com> wrote:
> On Fri, Nov 5, 2010 at 20:46, James <jtp@nc.rr.com> wrote:
>> The logdir is filled with empty files that, in the name of the file,
>> has the pid of the pam process. However, these files are empty and
>> they do not have anything in them.
>>
>> Thoughts?
>
> Try putting the compile time debugging options on?
>
> Ward
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2010-11-07 22:00 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-03 16:25 [gentoo-user] ldap client authentication James
2010-11-03 19:13 ` Stroller
2010-11-03 19:26 ` James
2010-11-04 15:51 ` James
2010-11-04 21:58 ` Adam Carter
2010-11-04 23:48 ` James
2010-11-05 4:44 ` James
2010-11-05 10:22 ` Ward Poelmans
2010-11-05 16:41 ` James
2010-11-05 16:49 ` Ward Poelmans
2010-11-05 19:46 ` James
2010-11-05 20:06 ` Ward Poelmans
2010-11-07 21:59 ` James
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox