Re: PAM/LDAP authentication

To: debian-user@lists.debian.org
Subject: Re: PAM/LDAP authentication
From: "Jeremy T. Bouse" <jbouse@debian.org>
Date: Wed, 16 Mar 2005 11:54:30 -0800
Message-id: <[🔎] 20050316195429.GA1533@UnderGrid.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 42388482.3090301@gmail.com>
References: <[🔎] 42388482.3090301@gmail.com>

On Wed, Mar 16, 2005 at 02:09:54PM -0500, Radu Brumariu wrote:
> Hello,
> 
> I have a Debian box ( unstable ) that needs to authenticate against an
> ldap server. I have set up the libnss-ldap package, so that if I look
> for an user that's only in LDAP , such as getent passwd ldapuser , I get
> the proper answer back from the LDAP server.
> The only thing that's not working is authentication.

	I'll assume along with libnss-ldap you included libpam-ldap? I
have several servers (> a dozen) using LDAP for authentication myself
without any problems. I'll also assume you have modified the
nsswitch.conf file appropriately to include looking at LDAP as you say
that getent works fine.

> I have the following likes in common-auth & common-account :
> 
> common-auth :
> auth    sufficient      pam_ldap.so ignore_unknown_user
> auth    required        pam_unix.so use_first_pass
> 

	This looks similar to mine except I don't have the
'ignore_unknown_user' option on pam_ldap.so otherwise it's identical.

> common-account :
> account     sufficient    pam_ldap.so ignore_unknown_user
> account     sufficient    pam_unix.so use_first_pass
> account     required      pam_deny.so
> 

	This is close to what I have. Again with the previous I don't
have the 'ignore_unknown_user' option set. The other differences from
yours and mine is that I have pam_unix.so set to 'required' and do not
have pam_deny.so used at all.

> 
> When I try to ssh in the machine using my LDAP user , I get the
> following entries in auth.log :
> Mar 16 10:59:54 xxx sshd[9777]: Illegal user radu from
> ::ffff:xxx.yyy.xxx.yyy
> Mar 16 11:05:31 xxx sshd[9777]: pam_ldap: error trying to bind as user
> "uid=radu,ou=People,o=xxxxxx" (Invalid credentials)
> Mar 16 11:05:31 xxx sshd[9777]: (pam_unix) check pass; user unknown
> Mar 16 11:05:31 xxx sshd[9777]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxx
> Mar 16 11:05:33 xxx sshd[9777]: error: PAM: User not known to the
> underlying authentication module for illegal user radu from xxxxxxx
> 
	This definately seems like sshd is trying to use PAM to
authenticate but is unable to authenticate. My first guess would be to
check the libpam-ldap configuration, as without that the pam_ldap.so
module is going to fail. The configuration for the most part should be
identical to libnss-ldap's configuration. The result from pam_unix.so in
your log looks correct given the user is available only in LDAP.

	Regards,
	Jeremy

> 
> Can some one shed some light on this ?
> 
> Thanks ,
> 
> Radu
>

Reply to:

References:
- PAM/LDAP authentication
  - From: Radu Brumariu <brum76@gmail.com>

Prev by Date: Re: css, copying, compressing. legality thereof
Next by Date: broken grep and gzip
Previous by thread: PAM/LDAP authentication
Next by thread: Exim and spamassasin
Index(es):
- Date
- Thread