pam_ldap problem

Milan Kocián milon na wq.cz
Neděle Září 11 22:56:38 CEST 2005 

On Sun, 2005-09-11 at 00:00 +0200, Ondrej Puzman wrote:
> Zdravim,
> snazim se rozbehat autentizaci uzivatelu na Debianu pomoci pam_ldap.
> Problem je, ze kdyz se pam_ldap pokousi provest bind na jmeno
> uzivatele, tak se mu to nepodari (Invalid credentials). Pokud zkusim
> bind, treba pomoci ldapsearch, tak vse funguje spravne - uz naprosto
> netusim, kde by mohla byt chyba.
> 
> slapd.log - pokus o prihlaseni uzivatele pres ssh:
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 fd=13 ACCEPT from IP=127.0.0.1:42862 (IP=0.0.0.0:389)
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" method=128
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" mech=SIMPLE ssf=0
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 RESULT tag=97 err=0 text=
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=1 SRCH base="ou=people,dc=amit,dc=cz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(objectClass=posixAccount)(uid=puzman))"
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 BIND anonymous mech=implicit ssf=0
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" method=128
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 RESULT tag=97 err=49 text=
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" method=128
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" mech=SIMPLE ssf=0
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 RESULT tag=97 err=0 text=
> Sep 11 01:32:55 localhost slapd[5633]: conn=0 op=4 UNBIND
> Sep 11 01:32:55 localhost slapd[5633]: conn=0 fd=13 closed
> 
> Je videt, ze pam_ldap provode uspesne bind jako cn=datakeeper, vyhleda
> uzivatele v adresari, ale nasledny bind jako uzivatel se uz nepodari
> (RESULT tag=97 err=49 text=).
> 
> v auth.log je toto:
> Sep 11 01:32:50 localhost sshd[5635]: Illegal user puzman from ::ffff:192.168.1.254
> Sep 11 01:32:53 localhost sshd[5635]: (pam_unix) check pass; user unknown
> Sep 11 01:32:53 localhost sshd[5635]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gatekeeper.praha.amit.cz
> Sep 11 01:32:53 localhost sshd[5635]: pam_ldap: error trying to bind as user "uid=puzman,ou=people,dc=amit,dc=cz" (Invalid credentials)
> Sep 11 01:32:55 localhost sshd[5635]: error: PAM: Authentication failure for illegal user puzman from gatekeeper.praha.amit.cz
> Sep 11 01:32:55 localhost sshd[5635]: Failed keyboard-interactive/pam for illegal user puzman from ::ffff:192.168.1.254 port 40950 ssh2
> 
> 
> ldapsearch -x -W -D uid=puzman,ou=people,dc=amit,dc=cz -b ou=people,dc=amit,dc=cz
> 
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 fd=13 ACCEPT from IP=127.0.0.1:58183 (IP=0.0.0.0:389)
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" method=128
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" mech=SIMPLE ssf=0
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 RESULT tag=97 err=0 text=
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=1 SRCH base="ou=people,dc=amit,dc=cz" scope=2 deref=0 filter="(objectClass=*)"
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=63 text=
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=2 UNBIND
> 
> U ldapsearch ovsem bind projde bez problemu a ldapsearch vrati
> vysledky hledani.
> 
> Par hodin jsem bezuspesne googlil a prochazel dostupnou dokumentaci.
> Doufam, ze se aspon zde najde nekdo, kdo dokaze poradit.
> Na zaver jeste prikladam relevantni konfiguracni soubory.
> S pozdravem,
>      Ondrej Puzman
> 
> 
> /etc/pam_ldap.conf
> -----------------------------------------------------
> uri             ldap://127.0.0.1/
> ldap_version    3
> base            ou=people,dc=amit,dc=cz
> scope           sub
> timelimit       30
> bind_timelimit  15
> binddn          cn=datakeeper,ou=hosts,dc=amit,dc=cz
> bindpw          xxxxxx
> 
> pam_login_attribute     uid
> pam_filter              objectclass=posixAccount
> pam_password            exop
> 
> /etc/pam.d/common-auth
> -----------------------------------------------------
> auth    [success=1 default=ignore] pam_unix.so nullok_secure
> auth    required        pam_ldap.so use_first_pass
> auth    required        pam_permit.so
> 
> /etc/pam.d/common-account
> -----------------------------------------------------
> account [success=1 default=ignore] pam_unix.so
> account required        pam_ldap.so
> account required        pam_permit.so
> 
> 


Dobry den,

jen vystrel do vzduchu: /etc/libnss-ldap.conf + nssswitch.conf mate
nastavene? Podle me dalsi BIND via libnss, kdy se system snazi zjistit
neco o uzivateli (home, uid, gid, ...). 

'getent passwd' jako root Vam toho uzivatele z ldapu vypise?

S pozdravem 

-- 
Milan Kocián <milon na wq.cz>

Další informace o konferenci Linux