Re: problemes amb el login des de ldap

[Albert Sellarès <whats_up@salles.mine.nu>]

Una pregunta més, la màquina client i la màquina servidor són la
mateixa?

> > prova de fer des de la màquina client:
> >
> > com a root:
> > passwd wallas85
> em diu:
> passwd: Authentication token manipulation error

entenc q no s'arriva a canviar oi?

> > i li poses un password ben senzill, llavors fes:
> però això ho he fet via phpldapadmin (i a més he posat que no estigui 
> encriptada)

mmmm, amb el phpldapadmin, podria ser q no es guardes amb el format
d'encriptació correcte. Crec q l'aplicació més senzilla de configurar en
la part dl client, és la comanda passwd, per tant et recomano que sigui
amb aquesta eina amb la q facis les proves.

Si et va, t'hauria de canviar el password.

> > su wallas85
> m'entra a l'usuari però em diu això:
> su: Authentication service cannot retrieve authentication info.
> (Ignorat)
> 
> i a /var/log/auth.log em surt això:
> localhost su[XXXX]: pam_ldap: error trying to bind (Invalid credentials)
> localhost su[XXXX]: + pts/0 root:wallas85
> localhost su[XXXX]: (pam_unix) session opened for user wallas85 by root(uid=0)

Sembla q no accedeix b al directori ldap... :_


> si des de dins l'usuari wallas85 faig: "$passwd wallas85" em sur això:
> Changing password for wallas85
> (current) UNIX password: (aquí jo poso la contrassenya, que és molt sensilleta 
> que l'acabo de canviar com he comentat)
> passwd: Authentication token manipulation error

Crec q no deu poder comprovar q aquesta és realment la teva
contrassenya, i per això peta, més endavant comentaré els arxius q m'has
passat....

> > ls /etc/pam.d
> chfn, common-auth, common-session, passwd, ssh, chsh, imap, pop3, su, 
> common-account, common-password, cron, login, ppp, cupsys, other, samba

Pel que sembla cada aplicació que usa els mòduls pam per autheticar-se,
et farà un include dels arxius common-*, per tant és provable que en
alguns casos nomès hagis de tocar aquests.

> > cat /etc/pam.conf
> rest, tot el que hi ha està comentat

ok, perfecte!


> > cat /etc/pam.d/su
> auth       sufficient pam_rootok.so
> @include common-auth
> @include common-account
> @include common-session
Treient els comentaris, nomès queden d'importants els includes...
(dspres els mirem)

> > cat /etc/pam.d/ssh
> auth       required     pam_nologin.so
> auth       required     pam_env.so # [1]
> @include common-auth
> @include common-account
> @include common-session
> session    optional     pam_motd.so # [1]
> session    optional     pam_mail.so standard noenv # [1]
> session    required     pam_limits.so
> @include common-password
igual que avans, tot lo important està al common-*


> > cat /etc/pam.d/passwd
> @include common-password
El mateix....


> > cat /etc/pam_ldap.conf
> host gandalf.lothlorien
Si no vaig errat, aquesta opció és millor comentar-la i usar les de
abaix (les q posa uri)

> # The distinguished name of the search base.
> base dc=lothlorien
ok, suposaré q està b...

> # Another way to specify your LDAP server is to provide an
> # uri with the server name. This allows to use
> # Unix Domain Sockets to connect to a local LDAP Server.
> #uri ldap://127.0.0.1/
> #uri ldaps://127.0.0.1/
> #uri ldapi://%2fvar%2frun%2fldapi_sock/
> # Note: %2f encodes the '/' used as directory separator
Aquí hauries de posar algo com:

uri ldap://ip_del_servidor_ldap/

asegura't q tens el servidor escoltant:

nmap ip_del_servidor -p 389

> # The LDAP version to use (defaults to 3
> # if supported by client library)
> ldap_version 3
> 
> # The distinguished name to bind to the server with.
> # Optional: default is to bind anonymously.
> #binddn cn=proxyuser,dc=padl,dc=com
> 
> # The credentials to bind with.
> # Optional: default is no credential.
> #bindpw 1
> 
> # The distinguished name to bind to the server with
> # if the effective user ID is root. Password is
> # stored in /etc/ldap.secret (mode 600)
> rootbinddn cn=admin,dc=lothlorien
Aquest ja de ser l'usuari amb privilegis sobre el directori ldap.

> # The port.
> # Optional: default is 389.
> port 389
Per defecte ja és aquest port :)

> # The search scope.
> #scope sub
> #scope one
> #scope base
> 
> # Search timelimit
> #timelimit 30
> 
> # Bind timelimit
> #bind_timelimit 30
> 
> # Idle timelimit; client will close connections
> # (nss_ldap only) if the server has not been contacted
> # for the number of seconds specified below.
> #idle_timelimit 3600
> 
> # Filter to AND with uid=%s
> #pam_filter objectclass=posixAccount
> 
> # The user ID attribute (defaults to uid)
> #pam_login_attribute uid
> 
> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> #pam_lookup_policy yes
> 
> # Check the 'host' attribute for access control
> # Default is no; if set to yes, and user has no
> # value for the host attribute, and pam_ldap is
> # configured for account management (authorization)
> # then the user will not be allowed to login.
> #pam_check_host_attr yes
> 
> # Group to enforce membership of
> #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
> 
> # Group member attribute
> #pam_member_attribute uniquemember
> 
> # Specify a minium or maximum UID number allowed
> #pam_min_uid 0
> #pam_max_uid 0
> 
> # Template login attribute, default template user
> # (can be overriden by value of former attribute
> # in user's entry)
> #pam_login_attribute userPrincipalName
> #pam_template_login_attribute uid
> #pam_template_login nobody
> 
> # HEADS UP: the pam_crypt, pam_nds_passwd,
> # and pam_ad_passwd options are no
> # longer supported.
> 
> # Do not hash the password at all; presume
> # the directory server will do it, if
> # necessary. This is the default.
> #pam_password exop
> 
> # Hash password locally; required for University of
> # Michigan LDAP server, and works with Netscape
> # Directory Server if you're using the UNIX-Crypt
> # hash mechanism and not using the NT Synchronization
> # service.
> #pam_password crypt
Per anar b crec q hauries de descomentar aquesta opció per tal de dir-li
q els passwords els encriptaras usant aquesta funció. Crec q és
necessari per a que et funcioni amb algunes aplicacions linux, ja q si
no li poses, preasumeix que serà el servidor qui els encriptarà.

> # Remove old password first, then update in
> # cleartext. Necessary for use with Novell
> # Directory Services (NDS)
> #pam_password nds
> 
> # Update Active Directory password, by
> # creating Unicode password and updating
> # unicodePwd attribute.
> #pam_password ad
> 
> # Use the OpenLDAP password change
> # extended operation to update the password.
> #pam_password exop
> #pam_password local
> 
> # Redirect users to a URL or somesuch on password
> # changes.
> #pam_password_prohibit_message Please visit http://internal to change your 
> password.
> 
> # RFC2307bis naming contexts
> # Syntax:
> # nss_base_XXX          base?scope?filter
> # where scope is {base,one,sub}
> # and filter is a filter to be &'d with the
> # default filter.
> # You can omit the suffix eg:
> # nss_base_passwd       ou=People,
> # to append the default base DN but this
> # may incur a small performance impact.
> #nss_base_passwd                ou=people,dc=gsr,dc=pt?one
> #nss_base_shadow                ou=people,dc=gsr,dc=pt?one
> #nss_base_group         ou=groups,dc=gsr,dc=pt?one
> #nss_base_hosts         ou=machines,dc=gsr,dc=pt?one
> #nss_base_services      ou=Services,dc=padl,dc=com?one
> #nss_base_networks      ou=Networks,dc=padl,dc=com?one
> #nss_base_protocols     ou=Protocols,dc=padl,dc=com?one
> #nss_base_rpc           ou=Rpc,dc=padl,dc=com?one
> #nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
> #nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
> #nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
> #nss_base_aliases       ou=Aliases,dc=padl,dc=com?one
> #nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one
> 
> # attribute/objectclass mapping
> # Syntax:
> #nss_map_attribute      rfc2307attribute        mapped_attribute
> #nss_map_objectclass    rfc2307objectclass      mapped_objectclass
> 
> # configure --enable-nds is no longer supported.
> # For NDS now do:
> #nss_map_attribute uniqueMember member
> 
> # configure --enable-mssfu-schema is no longer supported.
> # For MSSFU now do:
> #nss_map_objectclass posixAccount User
> #nss_map_attribute uid msSFUName
> #nss_map_attribute uniqueMember posixMember
> #nss_map_attribute userPassword msSFUPassword
> #nss_map_attribute homeDirectory msSFUHomeDirectory
> #nss_map_objectclass posixGroup Group
> #pam_login_attribute msSFUName
> #pam_filter objectclass=User
> #pam_password ad
> 
> # configure --enable-authpassword is no longer supported
> # For authPassword support, now do:
> #nss_map_attribute userPassword authPassword
> #pam_password nds
> 
> # For IBM SecureWay support, do:
> #nss_map_objectclass posixAccount aixAccount
> #nss_map_attribute uid userName
> #nss_map_attribute gidNumber gid
> #nss_map_attribute uidNumber uid
> #nss_map_attribute userPassword passwordChar
> #nss_map_objectclass posixGroup aixAccessGroup
> #nss_map_attribute cn groupName
> #nss_map_attribute uniqueMember member
> #pam_login_attribute userName
> #pam_filter objectclass=aixAccount
> #pam_password clear
> 
> # Netscape SDK LDAPS
> #ssl on
> 
> # Netscape SDK SSL options
> #sslpath /etc/ssl/certs/cert7.db
> 
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> #ssl start_tls
> #ssl off
> 
> # OpenLDAP SSL options
> # Require and verify server certificate (yes/no)
> # Default is "no"
> #tls_checkpeer yes
> 
> # CA certificates for server certificate verification
> # At least one of these are required if tls_checkpeer is "yes"
> #tls_cacertfile /etc/ssl/ca.cert
> #tls_cacertdir /etc/ssl/certs
> 
> # Seed the PRNG if /dev/urandom is not provided
> #tls_randfile /var/run/egd-pool
> 
> # SSL cipher suite
> # See man ciphers for syntax
> #tls_ciphers TLSv1
> 
> # Client certificate and key
> # Use these, if your server requires client authentication.
> #tls_cert
> #tls_key
Tot lo altre crec q perfecte :)

> > ls -l /etc/ldap_secret
> -rw-r--r--  1 root root 39 2005-01-13 21:53 /etc/ldap.secret
El password que conté aquest arxiu, és el de l'usuari que has asignat al
parametre rootbinddn (cn=admin,dc=lothlorien). Aquest usuari ha de tenir
almenys permisos de lectura dl directori ldap.

Aquest arxiu no ha de tenir permisos de lectura per tothom, ja que sino
tots els usuaris dl sistema sabrien el password.

> > cat /etc/nsswitch.conf
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap
> 
> hosts:          files ldap dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       ldap nis

Als hosts tb hi poses q usi ldap?

> > ps aux | grep nscd
> nscd      2295  0.0  1.6 48204 2632 ?        Ss   22:26   0:00 /usr/sbin/nscd
Aquest servei l'has d'aturar mentre fas totes aquestes proves ja que
sino és probable q et dongui falses respostes al cachejar coses q no
son.

> > ls /etc/ldap/
> ldap.conf  ldap.conf.bak  schema  slapd.conf  slapd.conf.bak  ssl
oki!

> > cat /etc/ldap/ldap.conf
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> 
> # Your LDAP server. Must be resolvable without using LDAP.
> HOST gandalf.lothlorien
Aquí seria el mateix q en l'altre arxiu, millor comenta host, i defineix 
el mateix uri q has definit en l'anterior arxiu.

> # The distinguished name of the search base.
> BASE dc=lothlorien
ok!

> # The port.
> # Optional: default is 389. 636 is for ldaps
> PORT 389
ok, tot i q si poses l'uri crec q no cal.

> #PORT 636
> 


> > cat /etc/ldap/sldap.conf
> # Global Directives:
> 
> # Features to permit
> #allow bind_v2
> 
> # Schema and objectClass definitions
> include         /etc/ldap/schema/core.schema
> include         /etc/ldap/schema/cosine.schema
> include         /etc/ldap/schema/nis.schema
> include         /etc/ldap/schema/inetorgperson.schema
> include         /etc/ldap/schema/authldap.schema
> include         /etc/ldap/schema/samba.schema
> #include         /etc/ldap/schema/pykota.schema
> 
> # Schema check allows for forcing entries to
> # match schemas for their objectClasses's
> schemacheck     on
> 
> # Where the pid file is put. The init.d script
> # will not stop the server if you change this.
> pidfile         /var/run/slapd/slapd.pid
> 
> # List of arguments that were passed to the server
> argsfile        /var/run/slapd.args
> 
> # Read slapd.conf(5) for possible values
> loglevel        0
Si estas fent proves, et pastejo els valors interessants de log:
# Read slapd.conf(5) for possible values
#                      1      trace function calls
#                      2      debug packet handling
#                      4      heavy trace debugging
#                      8      connection management
#                     16     print out packets sent and received
#                     32     search filter processing
#                     64     configuration file processing
#                    128    access control list processing
#                    256    stats log connections/operations/results
#                    512    stats log entries sent
#                   1024   print communication with shell backends
#                   2048   entry parsing

> 
> # Where the dynamically loaded modules are stored
> modulepath      /usr/lib/ldap
> moduleload      back_ldbm
> 
> #######################################################################
> # Specific Backend Directives for ldbm:
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> backend         ldbm
> 
> #######################################################################
> # Specific Backend Directives for 'other':
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> #backend                <other>
> 
> #######################################################################
> # Specific Directives for database #1, of type ldbm:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database        ldbm
> 
> # The base of your directory in database #1
> suffix          "dc=lothlorien"
> 
> # Where the database file are physically stored for database #1
> directory       "/var/lib/ldap"


<------ inici d'on mai havia vist -------->
> # Requerido por OpenLDAP
> index objectclass             eq
> 
> index default                 sub
> index cn                      pres,sub,eq
> index sn                      pres,sub,eq
> # Requerido para soportar pdb_getsampwnam
> index uid                     pres,sub,eq
> 
> # Requerido para soportar pdb_getsambapwrid()
> index displayName             pres,sub,eq
> 
> # Descomente las siguientes líneas si está almacenando entradas
> # posixAccount y posixGroup en el directorio
> index uidNumber               eq
> index gidNumber               eq
> index memberUid               eq
> 
> # Samba 3.*
> index sambaSID                eq
> index sambaPrimaryGroupSID    eq
> index sambaDomainName         eq
> 
> # PyKota
> #index pykotaUserName          pres,eq,sub
> #index pykotaGroupName         pres,eq,sub
> #index pykotaPrinterName       pres,eq,sub
> #index pykotaLastJobIdent      eq
<-----------------fi------------------>
Com a ultima opcio pots provar a comentar-ho :P


> # Save the time that the entry gets modified, for database #1
> lastmod         on
> 
> # Where to store the replica logs for database #1
> # replogfile    /var/lib/ldap/replog
> 
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> access to attribute=userPassword
>         by dn="cn=admin,dc=lothlorien" write
>         by anonymous auth
>         by self write
>         by * none
> 
> # allow the "ldap admin dn" access, but deny everyone else
> # (Samba related)
> access to attrs=sambaLMPassword,sambaNTPassword
>      by dn="cn=admin,dc=lothlorien" write
>      by * none
Aquest si no tens res samba te'l pots estalviar




> # Ensure read access to the base for things like
> # supportedSASLMechanisms.  Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
Aquesta opció no hi fa res, comenta-la.



> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
>         by dn="cn=admin,dc=lothlorien" write
>         by * read
ok, perfecte

> # For Netscape Roaming support, each user gets a roaming
> # profile for which they have write access to
> #access to dn=".*,ou=Roaming,o=morsnet"
> #        by dn="cn=admin,dc=gsr,dc=pt" write
> #        by dnattr=owner write
> 
> #######################################################################
> # Specific Directives for database #2, of type 'other' (can be ldbm too):
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> #database        <other>
> 
> # The base of your directory for database #2
> #suffix         "dc=debian,dc=org"


Nem a mirar els altres arxius.....

> gandalf:/etc/pam.d# cat common-account
> # /etc/pam.d/common-account - authorization settings common to all services
> account required        pam_unix.so
> account sufficient      pam_ldap.so
Crec q millor q ho posis al revés no?:
account sufficient      pam_ldap.so
account required        pam_unix.so


> gandalf:/etc/pam.d# cat common-auth
> # /etc/pam.d/common-auth - authentication settings common to all services
> auth    sufficient      pam_unix.so
> auth    sufficient      pam_ldap.so try_first_pass
> auth    required        pam_env.so
> auth    required        pam_securetty.so
> auth    required        pam_unix_auth.so
> auth    required        pam_warn.so
> auth    required        pam_deny.so
El mateix:
auth    sufficient      pam_ldap.so
auth    required        pam_unix.so try_first_pass
auth    required        pam_env.so
auth    required        pam_securetty.so
auth    required        pam_unix_auth.so
auth    required        pam_warn.so
auth    required        pam_deny.so

> gandalf:/etc/pam.d# cat common-password
> # /etc/pam.d/common-password - password-related modules common to all services
> password required       pam_cracklib.so retry=3 minlen=6 difok=4
> password sufficient     pam_unix.so use_authtok md5 shadow
> password sufficient     pam_ldap.so use_authtok
> password required       pam_warn.so
> password required       pam_deny.so
Si no vaig errat, hi han versions de la cracklib q no son compatibles 
amb el ldap, per tant.... millor fora:
password sufficient     pam_ldap.so
password   required   pam_unix.so
password required       pam_warn.so
password required       pam_deny.so
Primer prova així despres ja posaras les opcions de longitud i tal...


> gandalf:/etc/pam.d# cat common-session
> # /etc/pam.d/common-session - session-related modules common to all services
> session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session required        pam_limits.so
> session required        pam_unix.so
> session optional        pam_ldap.so
Millor per fer les proves ho deixes:
session sufficient        pam_ldap.so
session required        pam_unix.so

Ja em diras si has tingut algun progrès!

PD: Si des de la màquina client executes la comanda slapcat, et retorna
algo? Hauria de retornar-te el contingut de l'ldap si tens el client
ldap ven configurat i el servidor tb :=)

Sort!
-- 
  Albert Sellarès        GPG id: 0xB88C621A     
  http://www.wekk.net    whats_up@jabber.org 
  Membre de Catux.org    http://catux.org    
  Linux User: 324456     Catalunya

Attachment: signature.asc
Description: =?ISO-8859-1?Q?Aix=F2?= =?ISO-8859-1?Q?_=E9s?= una part d'un missatge, signada digitalment