public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] ldap client authentication
@ 2010-11-03 16:25 James
  2010-11-03 19:13 ` Stroller
  0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-03 16:25 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 4882 bytes --]

Folks,

I'm attempting to set up LDAP authentication against my OpenDS server on a
Gentoo box. I've been struggling with this for several days now with no
progress.

Here's the rundown of how things are configured (fairly straight forward):

- OpenDS server has the following entry (gathered directly from ldapsearch
output), below. Note that clearly the LDAP server is properly configured if
it's responding to an ldapsearch on the client with no problems.


ldap ~ # ldapsearch -H ldap://auth.whatever.com "objectclass=posixAccount"
dn: cn=tb,ou=it,dc=whatever,dc=com
uid: tb
initials: tb
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
givenName: Thomas
cn: tb
sn: Bellview
telephoneNumber: 333.555.3333
homeDirectory: /home/tb
uidNumber: 10001
mail: tb@whatever.com
gidNumber: 10001


- /etc/ldap.conf
base ou=it,dc=whatever,dc=com
uri ldaps://auth.whatever.com
ldap_version 3
tls_reqcert allow
pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
nss_base_passwd ou=it,dc=whatever,dc=com
nss_base_shadow ou=it,dc=whatever,dc=com
nss_initgroups_ignoreusers
avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,www-data
timelimit 5
bind_timelimit 5


- Likewise, /etc/openldap/ldap.conf
BASE   ou=it,dc=whatever,dc=com
URI     ldaps://auth.whatever.com
TLS_REQCERT allow
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never


Simple problem: authentication fails. On the CLIENT I see the following in
the log files:

==> auth.log <==
Nov  3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM:
Authentication failure for tb from blah.whatever.com


On the SERVER I see the following:

[03/Nov/2010:06:27:05 -0400] CONNECT conn=314 from=10.1.1.166:44879 to=
10.1.1.115:389 protocol=LDAP
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=314 op=0 msgID=1 type=SIMPLE
dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=314 op=0 msgID=1 result=0
authDN="" etime=0
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=1 msgID=2
base="ou=it,dc=whatever,dc=com" scope=wholeSubtree
filter="(&(objectClass=posixAccount)(uid=tb))"
attrs="uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=1 msgID=2 result=0
nentries=1 etime=1
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=2 msgID=3
base="ou=it,dc=whatever,dc=com" scope=wholeSubtree
filter="(&(objectClass=posixAccount)(uid=tb))"
attrs="uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=2 msgID=3 result=0
nentries=1 etime=1
[03/Nov/2010:06:27:05 -0400] CONNECT conn=315 from=10.1.1.166:44879 to=
10.1.1.115:389 protocol=LDAP
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=0 msgID=1 type=SIMPLE
dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=0 msgID=1 result=0
authDN="" etime=0
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=315 op=1 msgID=2
base="ou=it,dc=whatever,dc=com" scope=wholeSubtree
filter="(&(objectclass=posixAccount)(uid=tb))" attrs="ALL"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=315 op=1 msgID=2 result=0
nentries=1 etime=0
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=2 msgID=3 type=SIMPLE
dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=2 msgID=3 result=0
authDN="" etime=0
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=315 reason="Client Disconnect"
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=314 reason="Client Disconnect"
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=309 reason="Client Disconnect"


Looks fine, right? Well not really. If I run an ldapsearch *exactly* as it
appears in the SERVER's log, it returns the user.

ldap ~ # ldapsearch -H ldap://auth.whatever.com -b
"ou=it,dc=whatever,dc=com" "(&(objectclass=posixAccount)(uid=tb))"
# extended LDIF
#
# LDAPv3
# base <ou=it,dc=whatever,dc=com> with scope subtree
# filter: (&(objectclass=posixAccount)(uid=tb))
# requesting: ALL
#

# tb, it, whatever.com
dn: cn=tb,ou=it,dc=whatever,dc=com
uid: tb
initials: tb
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
givenName: Thomas
cn: tb
sn: Bellview
telephoneNumber: 333.555.3333
homeDirectory: /home/tb
uidNumber: 10001
mail: tb@whatever.com
gidNumber: 10001

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


This has me pulling my hairs out. Clearly the manual ldapsearch works. The
only thing I can think of is the "scope=wholeSubtree" or the "attrs=ALL"
breaking the query; clearly the applied filters work without any issues.

Thoughts / ideas would be greatly appreciated.

-james

[-- Attachment #2: Type: text/html, Size: 6114 bytes --]

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-03 16:25 [gentoo-user] ldap client authentication James
@ 2010-11-03 19:13 ` Stroller
  2010-11-03 19:26   ` James
  0 siblings, 1 reply; 13+ messages in thread
From: Stroller @ 2010-11-03 19:13 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 603 bytes --]


On 3/11/2010, at 4:25pm, James wrote:
> ...
> I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress.
> 
> Here's the rundown of how things are configured (fairly straight forward):
> ...
> ==> auth.log <==
> Nov  3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com

You've shown us all about your LDAP configuration, but nothing about your PAM configuration, or whether sshd or IMAP are configured to use PAM.

Stroller.


[-- Attachment #2: Type: text/html, Size: 1031 bytes --]

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-03 19:13 ` Stroller
@ 2010-11-03 19:26   ` James
  2010-11-04 15:51     ` James
  0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-03 19:26 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 976 bytes --]

Straight from the Gentoo + LDAP page.

# pam ldap stuff
auth            sufficient      pam_ldap.so use_first_pass
account         sufficient      pam_ldap.so
password        sufficient      pam_ldap.so use_authtok use_first_pass
session         optional        pam_ldap.so

-james

On Wed, Nov 3, 2010 at 15:13, Stroller <stroller@stellar.eclipse.co.uk>wrote:

>
> On 3/11/2010, at 4:25pm, James wrote:
>
> ...
> I'm attempting to set up LDAP authentication against my OpenDS server on a
> Gentoo box. I've been struggling with this for several days now with no
> progress.
>
> Here's the rundown of how things are configured (fairly straight forward):
> ...
>
> ==> auth.log <==
> Nov  3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM:
> Authentication failure for tb from blah.whatever.com
>
>
> You've shown us all about your LDAP configuration, but nothing about your
> PAM configuration, or whether sshd or IMAP are configured to use PAM.
>
> Stroller.
>
>

[-- Attachment #2: Type: text/html, Size: 1707 bytes --]

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-03 19:26   ` James
@ 2010-11-04 15:51     ` James
  2010-11-04 21:58       ` Adam Carter
  0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-04 15:51 UTC (permalink / raw
  To: gentoo-user

Bump -- any ideas?

In a tough spot right now trying to wrap this LDAP project up and I'm stuck. :(

-james

On Wed, Nov 3, 2010 at 15:26, James <jtp@nc.rr.com> wrote:
> Straight from the Gentoo + LDAP page.
>
> # pam ldap stuff
> auth            sufficient      pam_ldap.so use_first_pass
> account         sufficient      pam_ldap.so
> password        sufficient      pam_ldap.so use_authtok use_first_pass
> session         optional        pam_ldap.so
>
> -james
>
> On Wed, Nov 3, 2010 at 15:13, Stroller <stroller@stellar.eclipse.co.uk>
> wrote:
>>
>> On 3/11/2010, at 4:25pm, James wrote:
>>
>> ...
>> I'm attempting to set up LDAP authentication against my OpenDS server on a
>> Gentoo box. I've been struggling with this for several days now with no
>> progress.
>>
>> Here's the rundown of how things are configured (fairly straight forward):
>> ...
>>
>> ==> auth.log <==
>> Nov  3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM:
>> Authentication failure for tb from blah.whatever.com
>>
>> You've shown us all about your LDAP configuration, but nothing about your
>> PAM configuration, or whether sshd or IMAP are configured to use PAM.
>> Stroller.
>
>



^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-04 15:51     ` James
@ 2010-11-04 21:58       ` Adam Carter
  2010-11-04 23:48         ` James
  0 siblings, 1 reply; 13+ messages in thread
From: Adam Carter @ 2010-11-04 21:58 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 417 bytes --]

On Fri, Nov 5, 2010 at 2:51 AM, James <jtp@nc.rr.com> wrote:

> Bump -- any ideas?
>
> In a tough spot right now trying to wrap this LDAP project up and I'm
> stuck. :(
>
> -james
>
>
You seem to be using ldap sometimes and ldaps other times in your configs.
Suggest you try getting everything working with ldap first, then convert
everything to ldaps (to get SSL working) once you have the application layer
sorted.

[-- Attachment #2: Type: text/html, Size: 694 bytes --]

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-04 21:58       ` Adam Carter
@ 2010-11-04 23:48         ` James
  2010-11-05  4:44           ` James
  0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-04 23:48 UTC (permalink / raw
  To: gentoo-user

LDAP and LDAPS work fine -- as I indicated, the ldapsearch queries
work without any issues. Thus the issue is, more or less, related
directly to PAM and LDAP together.

At some point during troubleshooting I switched to LDAP simply so that
I could sniff the packets going across the wire and see what was going
on.

This is purely a pam_ldap configuration problem as far as I can tell.

Any thoughts on how to go about troubleshooting this would be greatly
appreciated.

-james

On Thu, Nov 4, 2010 at 17:58, Adam Carter <adamcarter3@gmail.com> wrote:
> You seem to be using ldap sometimes and ldaps other times in your configs.
> Suggest you try getting everything working with ldap first, then convert
> everything to ldaps (to get SSL working) once you have the application layer
> sorted.
>



^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-04 23:48         ` James
@ 2010-11-05  4:44           ` James
  2010-11-05 10:22             ` Ward Poelmans
  0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-05  4:44 UTC (permalink / raw
  To: gentoo-user

Things just got more interesting.

I just copied my /etc/ldap.conf file over from my Gentoo box to an
Ubuntu box -- it works without a single hitch.

I'm about to rip my hair out here...any ideas on where I can start
troubleshooting this?

- openssh versions are very similar
- newer nss_ldap on gentoo
- newer pam_ldap on gentoo

Thoughts would be greatly appreciated.

-james

On Thu, Nov 4, 2010 at 23:48, James <jtp@nc.rr.com> wrote:
> LDAP and LDAPS work fine -- as I indicated, the ldapsearch queries
> work without any issues. Thus the issue is, more or less, related
> directly to PAM and LDAP together.
>
> At some point during troubleshooting I switched to LDAP simply so that
> I could sniff the packets going across the wire and see what was going
> on.
>
> This is purely a pam_ldap configuration problem as far as I can tell.
>
> Any thoughts on how to go about troubleshooting this would be greatly
> appreciated.
>
> -james
>
> On Thu, Nov 4, 2010 at 17:58, Adam Carter <adamcarter3@gmail.com> wrote:
>> You seem to be using ldap sometimes and ldaps other times in your configs.
>> Suggest you try getting everything working with ldap first, then convert
>> everything to ldaps (to get SSL working) once you have the application layer
>> sorted.
>>
>



^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-05  4:44           ` James
@ 2010-11-05 10:22             ` Ward Poelmans
  2010-11-05 16:41               ` James
  0 siblings, 1 reply; 13+ messages in thread
From: Ward Poelmans @ 2010-11-05 10:22 UTC (permalink / raw
  To: gentoo-user

On Fri, Nov 5, 2010 at 05:44, James <jtp@nc.rr.com> wrote:
> Things just got more interesting.
>
> I just copied my /etc/ldap.conf file over from my Gentoo box to an
> Ubuntu box -- it works without a single hitch.
>
> I'm about to rip my hair out here...any ideas on where I can start
> troubleshooting this?

Put logging of PAM to the max and start looking in your pam logs. Your
ldap seems fine.

Ward



^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-05 10:22             ` Ward Poelmans
@ 2010-11-05 16:41               ` James
  2010-11-05 16:49                 ` Ward Poelmans
  0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-05 16:41 UTC (permalink / raw
  To: gentoo-user

It seems that the LDAP is failing to work, as well, in CentOS 5 --
same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu.

What's the best way to star troubleshooting this from a PAM perspective?

I have a debug line set at the bottom of the ldap.conf file, but that
doesn't seem to be giving me enough information. Also, I've set
'debug' at the end of every line in my /etc/pam.d/system-auth file, to
no avail. Nothing is showing up in /var/log/debug -- PAM indicates
that the 'debug' keyword sends messages to syslog for processing.

Thoughts / ideas would be greatly appreciated.

Thanks!
-james

On Fri, Nov 5, 2010 at 06:22, Ward Poelmans <wpoely86@gmail.com> wrote:
> On Fri, Nov 5, 2010 at 05:44, James <jtp@nc.rr.com> wrote:
>> Things just got more interesting.
>>
>> I just copied my /etc/ldap.conf file over from my Gentoo box to an
>> Ubuntu box -- it works without a single hitch.
>>
>> I'm about to rip my hair out here...any ideas on where I can start
>> troubleshooting this?
>
> Put logging of PAM to the max and start looking in your pam logs. Your
> ldap seems fine.
>
> Ward
>
>



^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-05 16:41               ` James
@ 2010-11-05 16:49                 ` Ward Poelmans
  2010-11-05 19:46                   ` James
  0 siblings, 1 reply; 13+ messages in thread
From: Ward Poelmans @ 2010-11-05 16:49 UTC (permalink / raw
  To: gentoo-user

On Fri, Nov 5, 2010 at 17:41, James <jtp@nc.rr.com> wrote:
> It seems that the LDAP is failing to work, as well, in CentOS 5 --
> same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu.
>
> What's the best way to star troubleshooting this from a PAM perspective?
>
> I have a debug line set at the bottom of the ldap.conf file, but that
> doesn't seem to be giving me enough information. Also, I've set
> 'debug' at the end of every line in my /etc/pam.d/system-auth file, to
> no avail. Nothing is showing up in /var/log/debug -- PAM indicates
> that the 'debug' keyword sends messages to syslog for processing.

adding the debug keyword to the pam module doesn't do anything but in ldap.conf:
logdir <directory>
    Specifies the directory used for logging by the LDAP client
library. This feature is not supported by all client libraries.
debug <level>
    Specifies the debug level used for logging by the LDAP client
library. This feature is not supported by all client libraries, and
does not apply to the nss_ldap and pam_ldap modules themselves
(debugging, if any, is configured separately and usually at compile
time).

Ward



^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-05 16:49                 ` Ward Poelmans
@ 2010-11-05 19:46                   ` James
  2010-11-05 20:06                     ` Ward Poelmans
  0 siblings, 1 reply; 13+ messages in thread
From: James @ 2010-11-05 19:46 UTC (permalink / raw
  To: gentoo-user

Yes, I have both of these options enabled:

logdir <somedir>
debug 256

The logdir is filled with empty files that, in the name of the file,
has the pid of the pam process. However, these files are empty and
they do not have anything in them.

Thoughts?

-james

On Fri, Nov 5, 2010 at 12:49, Ward Poelmans <wpoely86@gmail.com> wrote:
> On Fri, Nov 5, 2010 at 17:41, James <jtp@nc.rr.com> wrote:
>> It seems that the LDAP is failing to work, as well, in CentOS 5 --
>> same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu.
>>
>> What's the best way to star troubleshooting this from a PAM perspective?
>>
>> I have a debug line set at the bottom of the ldap.conf file, but that
>> doesn't seem to be giving me enough information. Also, I've set
>> 'debug' at the end of every line in my /etc/pam.d/system-auth file, to
>> no avail. Nothing is showing up in /var/log/debug -- PAM indicates
>> that the 'debug' keyword sends messages to syslog for processing.
>
> adding the debug keyword to the pam module doesn't do anything but in ldap.conf:
> logdir <directory>
>    Specifies the directory used for logging by the LDAP client
> library. This feature is not supported by all client libraries.
> debug <level>
>    Specifies the debug level used for logging by the LDAP client
> library. This feature is not supported by all client libraries, and
> does not apply to the nss_ldap and pam_ldap modules themselves
> (debugging, if any, is configured separately and usually at compile
> time).
>
> Ward
>
>



^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-05 19:46                   ` James
@ 2010-11-05 20:06                     ` Ward Poelmans
  2010-11-07 21:59                       ` James
  0 siblings, 1 reply; 13+ messages in thread
From: Ward Poelmans @ 2010-11-05 20:06 UTC (permalink / raw
  To: gentoo-user

On Fri, Nov 5, 2010 at 20:46, James <jtp@nc.rr.com> wrote:
> The logdir is filled with empty files that, in the name of the file,
> has the pid of the pam process. However, these files are empty and
> they do not have anything in them.
>
> Thoughts?

Try putting the compile time debugging options on?

Ward



^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [gentoo-user] ldap client authentication
  2010-11-05 20:06                     ` Ward Poelmans
@ 2010-11-07 21:59                       ` James
  0 siblings, 0 replies; 13+ messages in thread
From: James @ 2010-11-07 21:59 UTC (permalink / raw
  To: gentoo-user

I've enabled compile-time debug flags, to no avail.

I did some troubleshooting for several hours last night and discovered
something interesting -- the LDAP server is responding with a SUCCESS
message to the bind request, but PAM (for whatever reason) is still
denying my login request.

Here's the output of a sniffer capture between the client and the LDAP server:

            bindResponse
                resultCode: success (0)

The /var/log/auth.log file indicates the following:

==> auth.log <==
Nov  3 06:24:00 s_dgram@auth.whatever.com sshd[11393]: error: PAM:
Authentication failure for illegal user tb from 10.9.3.153
Nov  3 06:24:00 s_dgram@auth.whatever.com sshd[11393]: Failed
keyboard-interactive/pam for invalid user tb from 10.9.3.153 port
56665 ssh2
Nov  3 06:24:00 s_dgram@auth.whatever.com sshd[11396]:
pam_tally2(sshd:auth): pam_get_uid; no such user


My /etc/pam.d/system-auth file is pretty much verbatim what is listed here:

http://www.gentoo.org/doc/en/ldap-howto.xml

Also, my /etc/nsswitch.conf file has "files" and "ldap" in the
appropriate places.

passwd:      files ldap
shadow:      files ldap
group:       files ldap

Thoughts would be greatly appreciated -- I'm almost there! I just need
to figure out why PAM isn't playing nice with LDAP authentication.

-james

I'm so close I can taste it. :) Any thoughts or ideas on how to fix
this would be greatly appreciated.


On Fri, Nov 5, 2010 at 20:06, Ward Poelmans <wpoely86@gmail.com> wrote:
> On Fri, Nov 5, 2010 at 20:46, James <jtp@nc.rr.com> wrote:
>> The logdir is filled with empty files that, in the name of the file,
>> has the pid of the pam process. However, these files are empty and
>> they do not have anything in them.
>>
>> Thoughts?
>
> Try putting the compile time debugging options on?
>
> Ward



^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2010-11-07 22:00 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-03 16:25 [gentoo-user] ldap client authentication James
2010-11-03 19:13 ` Stroller
2010-11-03 19:26   ` James
2010-11-04 15:51     ` James
2010-11-04 21:58       ` Adam Carter
2010-11-04 23:48         ` James
2010-11-05  4:44           ` James
2010-11-05 10:22             ` Ward Poelmans
2010-11-05 16:41               ` James
2010-11-05 16:49                 ` Ward Poelmans
2010-11-05 19:46                   ` James
2010-11-05 20:06                     ` Ward Poelmans
2010-11-07 21:59                       ` James

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox