Re: PAM/LDAP authentication
On Wed, Mar 16, 2005 at 02:09:54PM -0500, Radu Brumariu wrote:
> Hello,
>
> I have a Debian box ( unstable ) that needs to authenticate against an
> ldap server. I have set up the libnss-ldap package, so that if I look
> for an user that's only in LDAP , such as getent passwd ldapuser , I get
> the proper answer back from the LDAP server.
> The only thing that's not working is authentication.
I'll assume along with libnss-ldap you included libpam-ldap? I
have several servers (> a dozen) using LDAP for authentication myself
without any problems. I'll also assume you have modified the
nsswitch.conf file appropriately to include looking at LDAP as you say
that getent works fine.
> I have the following likes in common-auth & common-account :
>
> common-auth :
> auth sufficient pam_ldap.so ignore_unknown_user
> auth required pam_unix.so use_first_pass
>
This looks similar to mine except I don't have the
'ignore_unknown_user' option on pam_ldap.so otherwise it's identical.
> common-account :
> account sufficient pam_ldap.so ignore_unknown_user
> account sufficient pam_unix.so use_first_pass
> account required pam_deny.so
>
This is close to what I have. Again with the previous I don't
have the 'ignore_unknown_user' option set. The other differences from
yours and mine is that I have pam_unix.so set to 'required' and do not
have pam_deny.so used at all.
>
> When I try to ssh in the machine using my LDAP user , I get the
> following entries in auth.log :
> Mar 16 10:59:54 xxx sshd[9777]: Illegal user radu from
> ::ffff:xxx.yyy.xxx.yyy
> Mar 16 11:05:31 xxx sshd[9777]: pam_ldap: error trying to bind as user
> "uid=radu,ou=People,o=xxxxxx" (Invalid credentials)
> Mar 16 11:05:31 xxx sshd[9777]: (pam_unix) check pass; user unknown
> Mar 16 11:05:31 xxx sshd[9777]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxx
> Mar 16 11:05:33 xxx sshd[9777]: error: PAM: User not known to the
> underlying authentication module for illegal user radu from xxxxxxx
>
This definately seems like sshd is trying to use PAM to
authenticate but is unable to authenticate. My first guess would be to
check the libpam-ldap configuration, as without that the pam_ldap.so
module is going to fail. The configuration for the most part should be
identical to libnss-ldap's configuration. The result from pam_unix.so in
your log looks correct given the user is available only in LDAP.
Regards,
Jeremy
>
> Can some one shed some light on this ?
>
> Thanks ,
>
> Radu
>
Reply to: