Hey all,
I'm working on trying to get local and remote logins via ldap on a
Debian sid box. For the most part I've been following the DebianWiki
examples at http://wiki.debian.net/index.cgi?LDAPAuthentication.
/etc/libnss-ldap is working both with and without nscd running; a file
created with the ownership of an ldap only user displays the uid and
group labels correctly instead of the user/group numbers. This tells me
that that libnss-ldap.conf is configured correctly, and the ldap
directory is displaying anonymous searches correctly. getent displays
the file and ldap info for passwd, and group.
I'm having problems getting libpam-ldap working. I can't seem to get pam
to authenticate the login. The docs on pam_ldap.conf claim libnss-ldap
compatibility, so these files are exactly the same. I have the correct
passwd in /etc/ldap.secret.
The problem appears (I think) to be with the pam.d files. Sid uses
included common-* files for passwd, session, auth and account.
libpam-ldap seems to be querying the directory correctly, based on this
snippit from the slapd logs regarding ACL's and a failed login attempt.
May 16 13:09:57 stork slapd[908]: => acl_mask: access to entry
"cn=admin,dc=pwgroup,dc=ca", attr "userPassword" requested
May 16 13:09:57 stork slapd[908]: => acl_mask: to all values by "", (=n)
May 16 13:09:57 stork slapd[908]: <= check a_dn_pat:
cn=admin,dc=pwgroup,dc=ca
May 16 13:09:57 stork slapd[908]: <= check a_dn_pat: self
May 16 13:09:57 stork slapd[908]: <= check a_dn_pat: *
May 16 13:09:57 stork slapd[908]: <= acl_mask: [3] applying auth(=x)
(stop)
May 16 13:09:57 stork slapd[908]: <= acl_mask: [3] mask: auth(=x)
May 16 13:09:57 stork slapd[908]: => access_allowed: auth access granted
by auth(=x)
The appropriate slapd.conf acl is:
access to attribute=userPassword
by dn="cn=admin,dc=pwgroup,dc=ca" write
by self write
by * auth
The auth log lists the failure as:
May 16 13:09:57 stork sshd[2747]: Illegal user riva from 192.168.95.4
May 16 13:09:59 stork sshd[2747]: Failed unknown for illegal user riva
from 192.168.95.4 port 38281 ssh2
A $>ps axfw lists this after the attempted login:
2791 ? Ss 0:00 \_ sshd: unknown [priv]
2792 ? Z 0:00 | \_ [sshd] <defunct>
2794 ? S 0:00 | \_ sshd: riva [pam]
An anonymous ldapsearch of "uid=riva,ou=People,dc=pwgroup,dc=ca" works,
without displaying the protected fields and an authenticated search as
both "riva" and "admin" shows the complete record.
Regarding pam, all I've edited is the /etc/pam.d/common-* files:
common-account:
account sufficient pam_ldap.so debug
account required pam_unix.so debug
common-auth:
auth sufficient pam_ldap.so debug
auth required pam_unix.so nullok_secure debug try_first_pass debug
common-passwd:
password sufficient pam_ldap.so ignore_unknown_user md5 debug
password required pam_unix.so nullok obscure min=4 max=8 md5 \
try_first_pass debug
/etc/pam.d/ssh includes all of these in it's configuration.
To fill the directory I use the tools from padl.com in the samba src.
I've configured smbldap_conf.pm with the MD5 hashtype.
I'm at a loss to understand why pam isn't recognizing the username in
ldap as a legal user. Does anyone have any ideas regard this?
Cheers,
lance
--
Lance Levsen, Catprint Computing
Linux Systems and programming
gpg --keyserver wwwkeys.pgp.net --recv-keys 0xF2DA79C8
Attachment:
signature.asc
Description: This is a digitally signed message part