Hi Tim/Rodney,
I have a question related to Rodney's question. Hope that you or someone can help, it is greatly appreciated.
I tried to configure PAM for rlogin from Client machine which I
expect to authenticate user credential on the LDAP Server. It always
fails.
I haven't configured security for SASL/TLS between Client/Server LDAP. Do I need to configure SASL/TLS in order for PAM to work?
Regards,
Joe
Two Solaris 10 machines (SunFire T2000) are setup to be LDAP client and server.
Installed packages, downloaded from SunFreeWare.com:
openldap-2.4.32-sol10-sparc-local.gz
db-4.7.25.NC-sol10-sparc-local.gz
gcc-3.3.2-sol10-sparc-local.gz
libgcc-3.3-sol10-sparc-local.gz
libtool-2.4.2-sol10-sparc-local.gz
openssl-1.0.1c-sol10-sparc-local.gz
sasl-2.1.25-sol10-sparc-local.gz
From Client LDAP, I am able to add users to Server LDAP, and ldapwhoami execution is also successful.
apggd04dev# ldapwhoami -H ldap://apggd06dev.pg.dtveng.net -x -W -D uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Enter LDAP Password:
dn:uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Configuration Changes:
- /etc/pam.conf:
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1 debug
- /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
Errors from /var/log/pamlog:
Mar 5 08:56:15 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar 5 08:56:20 apggd04dev last message repeated 1 time
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:20 apggd04dev login: [ID 219349 auth.debug] pam_unix_auth: user jkly not found
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug]
PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:20 apggd04dev login: [ID 285619 auth.debug] ldap pam_sm_authenticate(rlogin jkly), flags = 0
Mar 5 08:56:20 apggd04dev login: [ID 293258 auth.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error Error in underlying service module
Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:ruser)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user_prompt)
Mar 5 08:56:24 apggd04dev login: [ID 601877
auth.debug] PAM[3257]: pam_authenticate(296b0, 0)
Mar 5 08:56:24 apggd04dev login: [ID 407395 auth.debug] PAM[3257]: load_modules(296b0, pam_sm_authenticate)=/usr/lib/security/pam_rhosts_auth.so.1
Mar 5 08:56:24 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:24 apggd04dev login: [ID 386855 auth.debug] PAM[3257]: pam_get_user(296b0, 0, NULL)
From: Tim Watts <tw@dionic.net>
To: openldap-technical@openldap.org
Sent:
Tuesday, March 5, 2013 11:49 AM
Subject: Re: ssh with ldap authentication
On 05/03/13 19:16, Rodney Simioni wrote:
> Hi,
>
> I’m new to LDAP. I just created a new user in LDAP and it cannot login
> through ssh. It keeps prompting for the password. Any help will be
> greatly appreciated.
Hi Rodney,
There are a million ways ssh auth can fail - bad sshd_config, bad PAM config, bad LDAP client config, LDAP server side problem.
Best to try to test the LDAP authentication first.
can you try something like (on one line)
ldapwhoami -H ldap://your.ldap.server -x -W -D uid=dude12,ou=people,dc=wh,dc=local
Enter the password when prompted and if it replies with
dn:uid=dude12,ou=people,dc=wh,dc=local
Then that bit works...
Then see if
getent passwd
on the client returns a list of uses with dude12 in.
Then post your pam configs and pam_ldap.conf and libnss_ldap.conf (or equivalent according to distro).
-- Tim
Watts
Personal Blog: http://squiddy.blog.dionic.net/
http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage