pam_ldap problem
Milan Kocián
milon na wq.cz
Neděle Září 11 22:56:38 CEST 2005
On Sun, 2005-09-11 at 00:00 +0200, Ondrej Puzman wrote:
> Zdravim,
> snazim se rozbehat autentizaci uzivatelu na Debianu pomoci pam_ldap.
> Problem je, ze kdyz se pam_ldap pokousi provest bind na jmeno
> uzivatele, tak se mu to nepodari (Invalid credentials). Pokud zkusim
> bind, treba pomoci ldapsearch, tak vse funguje spravne - uz naprosto
> netusim, kde by mohla byt chyba.
>
> slapd.log - pokus o prihlaseni uzivatele pres ssh:
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 fd=13 ACCEPT from IP=127.0.0.1:42862 (IP=0.0.0.0:389)
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" method=128
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" mech=SIMPLE ssf=0
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=0 RESULT tag=97 err=0 text=
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=1 SRCH base="ou=people,dc=amit,dc=cz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(objectClass=posixAccount)(uid=puzman))"
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 BIND anonymous mech=implicit ssf=0
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" method=128
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 RESULT tag=97 err=49 text=
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" method=128
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 BIND dn="cn=datakeeper,ou=hosts,dc=amit,dc=cz" mech=SIMPLE ssf=0
> Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=3 RESULT tag=97 err=0 text=
> Sep 11 01:32:55 localhost slapd[5633]: conn=0 op=4 UNBIND
> Sep 11 01:32:55 localhost slapd[5633]: conn=0 fd=13 closed
>
> Je videt, ze pam_ldap provode uspesne bind jako cn=datakeeper, vyhleda
> uzivatele v adresari, ale nasledny bind jako uzivatel se uz nepodari
> (RESULT tag=97 err=49 text=).
>
> v auth.log je toto:
> Sep 11 01:32:50 localhost sshd[5635]: Illegal user puzman from ::ffff:192.168.1.254
> Sep 11 01:32:53 localhost sshd[5635]: (pam_unix) check pass; user unknown
> Sep 11 01:32:53 localhost sshd[5635]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gatekeeper.praha.amit.cz
> Sep 11 01:32:53 localhost sshd[5635]: pam_ldap: error trying to bind as user "uid=puzman,ou=people,dc=amit,dc=cz" (Invalid credentials)
> Sep 11 01:32:55 localhost sshd[5635]: error: PAM: Authentication failure for illegal user puzman from gatekeeper.praha.amit.cz
> Sep 11 01:32:55 localhost sshd[5635]: Failed keyboard-interactive/pam for illegal user puzman from ::ffff:192.168.1.254 port 40950 ssh2
>
>
> ldapsearch -x -W -D uid=puzman,ou=people,dc=amit,dc=cz -b ou=people,dc=amit,dc=cz
>
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 fd=13 ACCEPT from IP=127.0.0.1:58183 (IP=0.0.0.0:389)
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" method=128
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 BIND dn="uid=puzman,ou=people,dc=amit,dc=cz" mech=SIMPLE ssf=0
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=0 RESULT tag=97 err=0 text=
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=1 SRCH base="ou=people,dc=amit,dc=cz" scope=2 deref=0 filter="(objectClass=*)"
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=63 text=
> Sep 11 01:35:24 localhost slapd[5633]: conn=2 op=2 UNBIND
>
> U ldapsearch ovsem bind projde bez problemu a ldapsearch vrati
> vysledky hledani.
>
> Par hodin jsem bezuspesne googlil a prochazel dostupnou dokumentaci.
> Doufam, ze se aspon zde najde nekdo, kdo dokaze poradit.
> Na zaver jeste prikladam relevantni konfiguracni soubory.
> S pozdravem,
> Ondrej Puzman
>
>
> /etc/pam_ldap.conf
> -----------------------------------------------------
> uri ldap://127.0.0.1/
> ldap_version 3
> base ou=people,dc=amit,dc=cz
> scope sub
> timelimit 30
> bind_timelimit 15
> binddn cn=datakeeper,ou=hosts,dc=amit,dc=cz
> bindpw xxxxxx
>
> pam_login_attribute uid
> pam_filter objectclass=posixAccount
> pam_password exop
>
> /etc/pam.d/common-auth
> -----------------------------------------------------
> auth [success=1 default=ignore] pam_unix.so nullok_secure
> auth required pam_ldap.so use_first_pass
> auth required pam_permit.so
>
> /etc/pam.d/common-account
> -----------------------------------------------------
> account [success=1 default=ignore] pam_unix.so
> account required pam_ldap.so
> account required pam_permit.so
>
>
Dobry den,
jen vystrel do vzduchu: /etc/libnss-ldap.conf + nssswitch.conf mate
nastavene? Podle me dalsi BIND via libnss, kdy se system snazi zjistit
neco o uzivateli (home, uid, gid, ...).
'getent passwd' jako root Vam toho uzivatele z ldapu vypise?
S pozdravem
--
Milan Kocián <milon na wq.cz>
Další informace o konferenci Linux