Re: pam ssh authentication via ldap

krad Sun, 27 Feb 2011 03:11:54 -0800

On 27 February 2011 11:05, krad <kra...@gmail.com> wrote:
> On 26 February 2011 20:01, Tim Dunphy <bluethu...@gmail.com> wrote:
>> Hey list,
>>
>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and
>> nsswitch file because I thought they might be helpful in dispensing
>> advice as to what is going on:
>>
>> uri ldap://LBSD2.summitnjhome.com
>> base ou=staff,ou=Group,dc=summitnjhome,dc=com
>> sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
>> binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
>> bindpw secret
>> scope sub
>> pam_password exop
>> nss_base_passwd dc=summitnjhome,dc=com
>> nss_base_shadow dc=summitnjhome,dc=com
>> nss_base_group  dc=summitnjhome,dc=com
>> nss_base_sudo   dc=summitnjhome,dc=com
>>
>>
>> # nsswitch.conf(5) - name service switch configuration file
>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
>> kensmith Exp $
>> #
>> passwd: files ldap
>> passwd_compat: files ldap
>> group: files ldap
>> group_compat: nis
>> sudoers: ldap
>> hosts: files dns
>> networks: files
>> shells: files
>> services: compat
>> services_compat: nis
>> protocols: files
>> rpc: files
>>
>>
>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethu...@gmail.com> wrote:
>>> Hello List!!
>>>
>>>  I have an OpenLDAP 2.4 server functioning very nicely that
>>> authenticates a network of (mostly virtual) centos 5.5 machines.
>>>
>>>  But at the moment I am attempting to setup pam authentication for ssh
>>> via LDAP and having some difficulty.
>>>
>>>  My /etc/pam.d/sshd file seems to be setup logically and correctly:
>>>
>>> # PAM configuration for the "sshd" service
>>> #
>>>
>>> # auth
>>> auth            sufficient      pam_opie.so             no_warn 
>>> no_fake_prompts
>>> auth            requisite       pam_opieaccess.so       no_warn allow_local
>>> #auth           sufficient      pam_krb5.so             no_warn 
>>> try_first_pass
>>> #auth           sufficient      pam_ssh.so              no_warn 
>>> try_first_pass
>>> auth            required        pam_ldap.so
>>> #auth           required        pam_unix.so             no_warn 
>>> try_first_pass
>>>
>>> # account
>>> account         required        pam_nologin.so
>>> #account        required        pam_krb5.so
>>> account         required        pam_login_access.so
>>> account         required        pam_ldap.so
>>> #account        required        pam_unix.so
>>>
>>> # session
>>> #session        optional        pam_ssh.so
>>> session         sufficient      pam_ldap.so
>>> session         required        pam_permit.so
>>>
>>> # password
>>> #password       sufficient      pam_krb5.so             no_warn 
>>> try_first_pass
>>> password        required        pam_ldap.so
>>> #password       required        pam_unix.so             no_warn 
>>> try_first_pass
>>>
>>>
>>> And if I'm reading the logs correctly LDAP is searching for and
>>> finding the account information when I am making the login attempt:
>>>
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH
>>> base="dc=summitnjhome,dc=com" scope=2 deref=0
>>> filter="(&(objectClass=posixAccount)(uidNumber=1001
>>> ))"
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid
>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>>> description objectCla
>>> ss
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]:     AND
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]:     OR
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]:     EQUALITY
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>> first=0 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]:     AND
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]:     EQUALITY
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26
>>> first=106 last=137
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]:     EQUALITY
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>> first=0 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0
>>> first=106 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>> first=106 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 
>>> last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>> first=0 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 
>>> last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>> first=1 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT
>>> tag=101 err=0 nentries=0 text=
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
>>> Feb 26 19:52:54 LBSD2 slapd[54891]:
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
>>> error=-2 id=34715, closing.
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
>>> conn=34715 sd=212 for close
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection 
>>> lost)
>>>
>>>
>>> But logins fail every time. Could someone offer an opinion as to what
>>> may be going on to prevent logging in via pam/sshd and LDAP?
>>>
>>> Thanks in advance!
>>> Tim
>>>
>>> --
>>> GPG me!!
>>>
>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>
>>
>>
>>
>> --
>> GPG me!!
>>
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
>>
>
>
>
> these are my files and are from a working setup
>
> # cat /usr/local/etc/ldap.conf
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> BASE    dc=XXX,dc=net
> URI     ldap://XXX.net
>
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
>
> ssl start_tls
> tls_cacert /usr/local/etc/openldap/ssl/cert.crt
>
> pam_login_attribute uid
>
> sudoers_base   ou=sudoers,ou=services,dc=XXX,dc=net
> bind_timelimit 1
> timelimit 1
> bind_policy soft
>
> nss_initgroups_ignoreusers root,slapd,krad
>
>
> # ls -l /usr/local/etc/nss_ldap.conf
> lrwxr-xr-x  1 root  wheel  24 Jan 16 22:31
> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
>
> # nsswitch.conf
>
>
> group: cache files ldap [notfound=return]
> passwd: cache files ldap [notfound=return]
>
> these packages are installs
>
> nss_ldap-1.265_4    RFC 2307 NSS module
> openldap-client-2.4.23 Open source LDAP client implementation
> openldap-server-2.4.23 Open source LDAP server implementation
> pam_ldap-1.8.6      A pam module for authenticating with LDAP
>


and my slapd.conf

security ssf=128

TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
#include         /usr/local/etc/openldap/schema/ldapns.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/sudo.schema
logfile /var/log/slapd.log
loglevel stats
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb
database        bdb
directory       /var/db/openldap-data
#index uid pres,eq
index cn,sn,uid pres,eq,sub
index objectClass eq
#index sudoUser
suffix  "dc=XXX,dc=net"
rootdn  "cn=krad,dc=XXX,dc=net"
rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa
access to attrs=userPassword
            by self write
            by anonymous auth
            by dn.base="cn=krad,dc=XXX,dc=net" write
            by * none
access to *
            by self write
            by dn.base="cn=krad,dc=XXX,dc=net" write
            by * read
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: pam ssh authentication via ldap

Reply via email to