pam_ldap problem

Ondrej Puzman puzmano na volny.cz
Neděle Září 11 00:00:23 CEST 2005 

Zdravim,
snazim se rozbehat autentizaci uzivatelu na Debianu pomoci pam_ldap.
Problem je, ze kdyz se pam_ldap pokousi provest bind na jmeno
uzivatele, tak se mu to nepodari (Invalid credentials). Pokud zkusim
bind, treba pomoci ldapsearch, tak vse funguje spravne - uz naprosto
netusim, kde by mohla byt chyba.

slapd.log - pokus o prihlaseni uzivatele pres ssh:
Sep 11 01:32:53 localhost slapd[5633]: conn=0 fd=13 ACCEPT from IP=127.0.0.1:42862 (IP=0.0.0.0:389)
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" method=128
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" mech=SIMPLE ssf=0
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 RESULT tag=97 err=0 text=
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=1 SRCH base="ou=people,dc=amit,dc=cz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(objectClass=posixAccount)(uid=puzman))"
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 BIND anonymous mech=implicit ssf=0
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" method=128
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 RESULT tag=97 err=49 text=
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" method=128
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" mech=SIMPLE ssf=0
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 RESULT tag=97 err=0 text=
Sep 11 01:32:55 localhost slapd[5633]: conn=0 op=4 UNBIND
Sep 11 01:32:55 localhost slapd[5633]: conn=0 fd=13 closed

Je videt, ze pam_ldap provode uspesne bind jako cn=datakeeper, vyhleda
uzivatele v adresari, ale nasledny bind jako uzivatel se uz nepodari
(RESULT tag=97 err=49 text=).

v auth.log je toto:
Sep 11 01:32:50 localhost sshd[5635]: Illegal user puzman from ::ffff:192.168.1.254
Sep 11 01:32:53 localhost sshd[5635]: (pam_unix) check pass; user unknown
Sep 11 01:32:53 localhost sshd[5635]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gatekeeper.praha.amit.cz
Sep 11 01:32:53 localhost sshd[5635]: pam_ldap: error trying to bind as user "uid=puzman,ou=people,dc=amit,dc=cz" (Invalid credentials)
Sep 11 01:32:55 localhost sshd[5635]: error: PAM: Authentication failure for illegal user puzman from gatekeeper.praha.amit.cz
Sep 11 01:32:55 localhost sshd[5635]: Failed keyboard-interactive/pam for illegal user puzman from ::ffff:192.168.1.254 port 40950 ssh2


ldapsearch -x -W -D uid=puzman,ou=people,dc=amit,dc=cz -b ou=people,dc=amit,dc=cz

Sep 11 01:35:24 localhost slapd[5633]: conn=2 fd=13 ACCEPT from IP=127.0.0.1:58183 (IP=0.0.0.0:389)
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" method=128
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" mech=SIMPLE ssf=0
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 RESULT tag=97 err=0 text=
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=1 SRCH base="ou=people,dc=amit,dc=cz" scope=2 deref=0 filter="(objectClass=*)"
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=63 text=
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=2 UNBIND

U ldapsearch ovsem bind projde bez problemu a ldapsearch vrati
vysledky hledani.

Par hodin jsem bezuspesne googlil a prochazel dostupnou dokumentaci.
Doufam, ze se aspon zde najde nekdo, kdo dokaze poradit.
Na zaver jeste prikladam relevantni konfiguracni soubory.
S pozdravem,
     Ondrej Puzman


/etc/pam_ldap.conf
-----------------------------------------------------
uri             ldap://127.0.0.1/
ldap_version    3
base            ou=people,dc=amit,dc=cz
scope           sub
timelimit       30
bind_timelimit  15
binddn          cn=datakeeper,ou=hosts,dc=amit,dc=cz
bindpw          xxxxxx

pam_login_attribute     uid
pam_filter              objectclass=posixAccount
pam_password            exop

/etc/pam.d/common-auth
-----------------------------------------------------
auth    [success=1 default=ignore] pam_unix.so nullok_secure
auth    required        pam_ldap.so use_first_pass
auth    required        pam_permit.so

/etc/pam.d/common-account
-----------------------------------------------------
account [success=1 default=ignore] pam_unix.so
account required        pam_ldap.so
account required        pam_permit.so

Další informace o konferenci Linux