Hi Tim/Rodney,
I have a question related to Rodney's question. Hope that you or someone can help, it is greatly appreciated. I tried to configure PAM for rlogin from Client machine which I expect to authenticate user credential on the LDAP Server. It always fails. I haven't configured security for SASL/TLS between Client/Server LDAP. Do I need to configure SASL/TLS in order for PAM to work?
Regards, Joe
Two Solaris 10 machines (SunFire T2000) are setup to be LDAP client and server. Installed packages, downloaded from SunFreeWare.com: openldap-2.4.32-sol10-sparc-local.gz db-4.7.25.NC-sol10-sparc-local.gz gcc-3.3.2-sol10-sparc-local.gz libgcc-3.3-sol10-sparc-local.gz libtool-2.4.2-sol10-sparc-local.gz openssl-1.0.1c-sol10-sparc-local.gz sasl-2.1.25-sol10-sparc-local.gz From Client LDAP, I am able to add users to Server LDAP, and ldapwhoami execution is also successful.
apggd04dev# ldapwhoami -H ldap://apggd06dev.pg.dtveng.net -x -W -D uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net Enter LDAP Password: dn:uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Configuration Changes: - /etc/pam.conf: # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth binding pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 debug
- /etc/nsswitch.conf: passwd: files ldap group: files ldap shadow: files ldap
Errors from /var/log/pamlog: Mar 5 08:56:15 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user) Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok) Mar 5 08:56:20 apggd04dev last message repeated 1 time Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user Mar 5 08:56:20 apggd04dev login: [ID 219349 auth.debug] pam_unix_auth: user jkly not found Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user Mar 5 08:56:20 apggd04dev login: [ID 285619 auth.debug] ldap pam_sm_authenticate(rlogin jkly), flags = 0 Mar 5 08:56:20 apggd04dev login: [ID 293258 auth.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' (''). Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error Error in underlying service module Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok) Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user) Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:ruser) Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user_prompt) Mar 5 08:56:24 apggd04dev login: [ID 601877 auth.debug] PAM[3257]: pam_authenticate(296b0, 0) Mar 5 08:56:24 apggd04dev login: [ID 407395 auth.debug] PAM[3257]: load_modules(296b0, pam_sm_authenticate)=/usr/lib/security/pam_rhosts_auth.so.1 Mar 5 08:56:24 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user Mar 5 08:56:24 apggd04dev login: [ID 386855 auth.debug] PAM[3257]: pam_get_user(296b0, 0, NULL)
________________________________ From: Tim Watts tw@dionic.net To: openldap-technical@openldap.org Sent: Tuesday, March 5, 2013 11:49 AM Subject: Re: ssh with ldap authentication
On 05/03/13 19:16, Rodney Simioni wrote:
Hi,
I’m new to LDAP. I just created a new user in LDAP and it cannot login through ssh. It keeps prompting for the password. Any help will be greatly appreciated.
Hi Rodney,
There are a million ways ssh auth can fail - bad sshd_config, bad PAM config, bad LDAP client config, LDAP server side problem.
Best to try to test the LDAP authentication first.
can you try something like (on one line)
ldapwhoami -H ldap://your.ldap.server -x -W -D uid=dude12,ou=people,dc=wh,dc=local
Enter the password when prompted and if it replies with
dn:uid=dude12,ou=people,dc=wh,dc=local
Then that bit works...
Then see if
getent passwd
on the client returns a list of uses with dude12 in.
Then post your pam configs and pam_ldap.conf and libnss_ldap.conf (or equivalent according to distro).
-- Tim Watts Personal Blog: http://squiddy.blog.dionic.net/
http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage