Hello to everyone, We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails. We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html) Our openldap version is openldap-2.3.39 And all passwords are encrypted with : Base 64 encoded md5 Below is a sample password:
|{md5}2FeO34RYzgb7xbt2pYxcpA==|
The error messages when trying to 'su -' to the ldap user are:
|Jun 1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:35:23 servername su: [ID 810491 auth.crit]'su ldapuser' failed*for* mike on /dev/pts/4
|and for ssh:
|Jun 1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed*for* ldapuser from pc7395.sa.example.int Jun 1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed*for* ldapuser from pc7395.sa.example.int Jun 1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey*for* scponly from 10.24.4.52 port 35390 ssh2 Jun 1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed*for* ldapuser from pc7395.sa.example.int Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam*for* ldapuser from 192.168.1.25 port 41075 ssh2 Jun 1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password*for* ldapuser from 192.168.1.25 port 41075 ssh2 Jun 1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password*for* ldapuser from 192.168.1.25 port 41075 ssh2 Jun 1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password*for* ldapuser from 192.168.1.25 port 41075 ssh2 | Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
Please feel free to ask for any other configuration file:
*/etc/pam.conf*
|login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth sufficient pam_unix_auth.so.1 server_policy debug login auth required /usr/lib/security/pam_ldap.so.1 debug rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 use_first_pass rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 rsh auth required pam_unix_auth.so.1 ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_dial_auth.so.1 ppp auth sufficient pam_unix_auth.so.1 server_policy other auth sufficient /usr/lib/security/pam_ldap.so.1 debug other auth required pam_unix_auth.so.1 use_first_pass debug passwd auth sufficient pam_passwd_auth.so.1 server_policy passwd auth required /usr/lib/security/pam_ldap.so.1 debug cron account required pam_unix_account.so.1 other account requisite pam_roles.so.1 other account sufficient pam_unix_account.so.1 server_policy other account required /usr/lib/security/pam_ldap.so.1 debug other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 server_policy
|*/etc/ldap.conf *|base ou=users,ou=Example,dc=staff,dc=example ldap_version 3 scope sub pam_groupdn cn=sysadm@example.int,ou=groups,ou=Example,dc=staff,dc=example pam_member_attribute memberUid nss_map_attribute uid displayName nss_map_attribute cn sn pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password. uri ldap://ldapserver01/ ssl no bind_timelimit 1 bind_policy soft timelimit 10 nss_reconnect_tries 3 host klnsds01 nss_base_group ou=system_groups,ou=Example,dc=staff,dc=example?sub pam_password md5
|*/etc/nsswitch.conf *|passwd: files ldap group: files ldap hosts: files dns ipnodes: files dns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: files automount: files aliases: files services: files printers: user files auth_attr: files prof_attr: files project: files tnrhtp: files tnrhdb: files |* /etc/security/policy.conf* |AUTHS_GRANTED=solaris.device.cdrw PROFS_GRANTED=Basic Solaris User CRYPT_ALGORITHMS_DEPRECATE=__unix__ LOCK_AFTER_RETRIES=YES CRYPT_ALGORITHMS_ALLOW=1,2a,md5 ||CRYPT_DEFAULT=1|
Thanks in advance for any response...!! |
|