pam_ldap problem
Ondrej Puzman
puzmano na volny.cz
Neděle Září 11 00:00:23 CEST 2005
Zdravim,
snazim se rozbehat autentizaci uzivatelu na Debianu pomoci pam_ldap.
Problem je, ze kdyz se pam_ldap pokousi provest bind na jmeno
uzivatele, tak se mu to nepodari (Invalid credentials). Pokud zkusim
bind, treba pomoci ldapsearch, tak vse funguje spravne - uz naprosto
netusim, kde by mohla byt chyba.
slapd.log - pokus o prihlaseni uzivatele pres ssh:
Sep 11 01:32:53 localhost slapd[5633]: conn=0 fd=13 ACCEPT from IP=127.0.0.1:42862 (IP=0.0.0.0:389)
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" method=128
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" mech=SIMPLE ssf=0
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 RESULT tag=97 err=0 text=
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=1 SRCH base="ou=people,dc=amit,dc=cz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(objectClass=posixAccount)(uid=puzman))"
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 BIND anonymous mech=implicit ssf=0
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" method=128
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 RESULT tag=97 err=49 text=
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" method=128
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" mech=SIMPLE ssf=0
Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 RESULT tag=97 err=0 text=
Sep 11 01:32:55 localhost slapd[5633]: conn=0 op=4 UNBIND
Sep 11 01:32:55 localhost slapd[5633]: conn=0 fd=13 closed
Je videt, ze pam_ldap provode uspesne bind jako cn=datakeeper, vyhleda
uzivatele v adresari, ale nasledny bind jako uzivatel se uz nepodari
(RESULT tag=97 err=49 text=).
v auth.log je toto:
Sep 11 01:32:50 localhost sshd[5635]: Illegal user puzman from ::ffff:192.168.1.254
Sep 11 01:32:53 localhost sshd[5635]: (pam_unix) check pass; user unknown
Sep 11 01:32:53 localhost sshd[5635]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gatekeeper.praha.amit.cz
Sep 11 01:32:53 localhost sshd[5635]: pam_ldap: error trying to bind as user "uid=puzman,ou=people,dc=amit,dc=cz" (Invalid credentials)
Sep 11 01:32:55 localhost sshd[5635]: error: PAM: Authentication failure for illegal user puzman from gatekeeper.praha.amit.cz
Sep 11 01:32:55 localhost sshd[5635]: Failed keyboard-interactive/pam for illegal user puzman from ::ffff:192.168.1.254 port 40950 ssh2
ldapsearch -x -W -D uid=puzman,ou=people,dc=amit,dc=cz -b ou=people,dc=amit,dc=cz
Sep 11 01:35:24 localhost slapd[5633]: conn=2 fd=13 ACCEPT from IP=127.0.0.1:58183 (IP=0.0.0.0:389)
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" method=128
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" mech=SIMPLE ssf=0
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 RESULT tag=97 err=0 text=
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=1 SRCH base="ou=people,dc=amit,dc=cz" scope=2 deref=0 filter="(objectClass=*)"
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=63 text=
Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=2 UNBIND
U ldapsearch ovsem bind projde bez problemu a ldapsearch vrati
vysledky hledani.
Par hodin jsem bezuspesne googlil a prochazel dostupnou dokumentaci.
Doufam, ze se aspon zde najde nekdo, kdo dokaze poradit.
Na zaver jeste prikladam relevantni konfiguracni soubory.
S pozdravem,
Ondrej Puzman
/etc/pam_ldap.conf
-----------------------------------------------------
uri ldap://127.0.0.1/
ldap_version 3
base ou=people,dc=amit,dc=cz
scope sub
timelimit 30
bind_timelimit 15
binddn cn=datakeeper,ou=hosts,dc=amit,dc=cz
bindpw xxxxxx
pam_login_attribute uid
pam_filter objectclass=posixAccount
pam_password exop
/etc/pam.d/common-auth
-----------------------------------------------------
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
/etc/pam.d/common-account
-----------------------------------------------------
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so
Další informace o konferenci Linux