I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
I can succesfully search the ldap with this user binding to the ldap
ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=chocolate,dc=lan> (default) with scope subtree # filter: (uid=william) # requesting: ALL #
# william, Admin, chocolate.lan dn: uid=william,ou=Admin,dc=chocolate,dc=lan uid: william cn: william objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top loginShell: /bin/bash uidNumber: 10000 gidNumber: 10000 homeDirectory: /home/william userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE= gecos: William Brown,,,, description: William Brown shadowLastChange: 1 shadowMax: 0 shadowExpire: 0
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Slapd when trying to authenticate shows this.
/usr/local/libexec/slapd -4 -d 256
slapd starting conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389) conn=0 op=0 BIND dn="" method=128 conn=0 op=0 RESULT tag=97 err=0 text= connection_input: conn=0 deferring operation: binding conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))" conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))" conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=0 fd=10 closed (connection lost) conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389) conn=1 op=0 BIND dn="" method=128 conn=1 op=0 RESULT tag=97 err=0 text= connection_input: conn=1 deferring operation: binding conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389) conn=2 op=0 BIND dn="" method=128 conn=2 op=0 RESULT tag=97 err=0 text= connection_input: conn=2 deferring operation: binding conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 closed (connection lost) conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389) conn=3 op=0 BIND dn="" method=128 conn=3 op=0 RESULT tag=97 err=0 text= connection_input: conn=3 deferring operation: binding conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 fd=12 closed (connection lost) conn=1 fd=10 closed (connection lost)
Here is my /etc/ldap.conf base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.srv.chocolate.lan ldap_version 3 rootbinddn cn=Manager,dc=chocolate,dc=lan scope one timelimit 3 bind_timelimit 3 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr no pam_member_attribute memberuid pam_password exop nss_reconnect_tries 4 # number of times to double the sleep time nss_reconnect_sleeptime 1 # initial sleep value nss_reconnect_maxsleeptime 16 # max sleep value to cap at nss_reconnect_maxconntries 2 # how many tries before sleeping nss_base_passwd ou=Admin,dc=chocolate,dc=lan?one nss_base_passwd ou=People,dc=chocolate,dc=lan?one nss_base_shadow ou=Admin,dc=chocolate,dc=lan?one nss_base_shadow ou=People,dc=chocolate,dc=lan?one nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?one nss_base_group ou=Marvin,ou=Group,dc=chocolate,dc=lan?one ssl off
Here is /etc/openldap/slapd.conf
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_bdb access to attrs=userPassword by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write by anonymous auth by self write by * none access to * by self write by users read database bdb suffix "dc=chocolate,dc=lan" rootdn "cn=Manager,dc=chocolate,dc=lan" rootpw {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm directory /var/db/openldap-data index objectClass eq index uid eq password-hash {SSHA}
Here is the /etc/openldap/ldap.conf from both the client and server
BASE dc=chocolate,dc=lan URI ldap://ldap.srv.chocolate.lan
Any help with this would be greatly appreciated
William
Troubleshooting this requires more info:
1. What's the OS/Linux-flavour? CentOS/RHEL have a pretty painless way to enable LDAP auth, AFAIK.
2. I maybe reading the ACLs wrong but you allow anonymous auth for attribute "userPassword" but for all other attributes, anon has no rights. How will the auth session read user info from LDAP?
- Siddhartha
-----Original Message----- From: openldap-technical-bounces+sjain=silverspringnet.com@openldap.org [mailto:openldap-technical-bounces+sjain=silverspringnet.com@openldap.org] On Behalf Of Indexer Sent: Monday, May 03, 2010 12:52 AM To: openldap-technical@openldap.org Subject: Ldap authentication issue with PAM
I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
I can succesfully search the ldap with this user binding to the ldap
ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=chocolate,dc=lan> (default) with scope subtree
# filter: (uid=william)
# requesting: ALL
#
# william, Admin, chocolate.lan
dn: uid=william,ou=Admin,dc=chocolate,dc=lan
uid: william
cn: william
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/william
userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE=
gecos: William Brown,,,,
description: William Brown
shadowLastChange: 1
shadowMax: 0
shadowExpire: 0
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Slapd when trying to authenticate shows this.
/usr/local/libexec/slapd -4 -d 256
slapd starting
conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="" method=128
conn=0 op=0 RESULT tag=97 err=0 text=
connection_input: conn=0 deferring operation: binding
conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=0 fd=10 closed (connection lost)
conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="" method=128
conn=1 op=0 RESULT tag=97 err=0 text=
connection_input: conn=1 deferring operation: binding
conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389)
conn=2 op=0 BIND dn="" method=128
conn=2 op=0 RESULT tag=97 err=0 text=
connection_input: conn=2 deferring operation: binding
conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=12 closed (connection lost)
conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389)
conn=3 op=0 BIND dn="" method=128
conn=3 op=0 RESULT tag=97 err=0 text=
connection_input: conn=3 deferring operation: binding
conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=3 fd=12 closed (connection lost)
conn=1 fd=10 closed (connection lost)
Here is my /etc/ldap.conf
base dc=chocolate,dc=lan
suffix dc=chocolate,dc=lan
uri ldap://ldap.srv.chocolate.lan
ldap_version 3
rootbinddn cn=Manager,dc=chocolate,dc=lan
scope one
timelimit 3
bind_timelimit 3
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_check_host_attr no
pam_member_attribute memberuid
pam_password exop
nss_reconnect_tries 4 # number of times to double the sleep time
nss_reconnect_sleeptime 1 # initial sleep value
nss_reconnect_maxsleeptime 16 # max sleep value to cap at
nss_reconnect_maxconntries 2 # how many tries before sleeping
nss_base_passwd ou=Admin,dc=chocolate,dc=lan?one
nss_base_passwd ou=People,dc=chocolate,dc=lan?one
nss_base_shadow ou=Admin,dc=chocolate,dc=lan?one
nss_base_shadow ou=People,dc=chocolate,dc=lan?one
nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?one
nss_base_group ou=Marvin,ou=Group,dc=chocolate,dc=lan?one
ssl off
Here is /etc/openldap/slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_bdb
access to attrs=userPassword
by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
by anonymous auth
by self write
by * none
access to *
by self write
by users read
database bdb
suffix "dc=chocolate,dc=lan"
rootdn "cn=Manager,dc=chocolate,dc=lan"
rootpw {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm
directory /var/db/openldap-data
index objectClass eq
index uid eq
password-hash {SSHA}
Here is the /etc/openldap/ldap.conf from both the client and server
BASE dc=chocolate,dc=lan
URI ldap://ldap.srv.chocolate.lan
Any help with this would be greatly appreciated
William
openldap-technical@openldap.org