Anyone to help? On Tue, Mar 22, 2016, 14:06 Diogo Kiss <diogok...@gmail.com> wrote:
> > Hi, > > I having trouble to configure Postgres to use PAM authentication + LDAP. > > I managed to configure successfully pam_ldap.so module to > * Authorize (account) *SSH* users from specific groups > * Authenticate (auth) and authorize (account) users via *su* > > But, when I tried to use it to authenticate PostgreSQL against my LDAP > server, I get a message saying nothing else than: > > $ psql -h localhost -U dki -d payment >> Password for user dki: >> psql: FATAL: PAM authentication failed for user "dki" >> FATAL: PAM authentication failed for user "dki" > > > Logs from /var/log/* and /var/log/postgres/* are the following > > 2016-03-22T11:02:34.155848+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49030) : pam_ldap: ldap_simple_bind Can't contact LDAP server >> 2016-03-22T11:02:34.156137+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49030) : pam_ldap: reconnecting to LDAP server... >> 2016-03-22T11:02:34.198306+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49030) : pam_ldap: ldap_simple_bind Can't contact LDAP server >> [2016-03-22 11:02:34.198 UTC] 127.0.0.1 56f1264a.3357 payment LOG: >> could not receive data from client: Connection reset by peer >> [2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment LOG: >> pam_authenticate failed: Authentication failure >> [2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment FATAL: >> PAM authentication failed for user "dki" >> [2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment DETAIL: >> Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam " >> 2016-03-22T11:02:37.160995+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server >> 2016-03-22T11:02:37.161091+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49033) : pam_ldap: reconnecting to LDAP server... >> 2016-03-22T11:02:37.194711+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server >> 2016-03-22T11:02:37.194952+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server >> 2016-03-22T11:02:37.195122+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49033) : pam_ldap: reconnecting to LDAP server... >> 2016-03-22T11:02:37.228302+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server >> [2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment LOG: >> pam_authenticate failed: Authentication failure >> [2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment FATAL: >> PAM authentication failed for user "dki" >> [2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment DETAIL: >> Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam " >> 2016-03-22T11:02:37.266582+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server >> 2016-03-22T11:02:37.266682+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49037) : pam_ldap: reconnecting to LDAP server... >> 2016-03-22T11:02:37.299936+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server >> 2016-03-22T11:02:37.300098+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server >> 2016-03-22T11:02:37.300189+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49037) : pam_ldap: reconnecting to LDAP server... >> [2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment LOG: >> pam_authenticate failed: Authentication failure >> [2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment FATAL: >> PAM authentication failed for user "dki" >> [2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment DETAIL: >> Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam " >> 2016-03-22T11:02:37.334239+00:00 base-i-vagranto.vagrant.test.ts.sv >> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server > > > Without the reason that pam_ldap can't contact the LDAP server, I can't > fix it. =( > > My configuration files are as follows: > > */etc/nsswitch.conf:* > passwd: files ldap > group: files ldap > shadow: files ldap > hosts: files myhostname dns > networks: files > protocols: db files > services: db files > ethers: db files > rpc: db files > netgroup: nis > > */etc/nslcd.conf:* > uid nslcd > gid nslcd > uri ldaps://myserver.com:636 > base dc=mycompany,dc=com > ssl on > tls_reqcert demand > tls_cacertfile /etc/mycompany/tls/mycompany_ca.cert > tls_cert /etc/mycompany/tls/client.cert > tls_key /etc/mycompany/tls/client.key > filter shadow (objectClass=posixAccount) > bind_timelimit 2 > timelimit 2 > reconnect_sleeptime 1 > reconnect_retrytime 1 > > */etc/ldap.conf:* > base dc=mycompany,dc=com > uri ldaps://myserver.com:636 > ldap_version 3 > port 636 > timelimit 2 # in seconds > bind_timelimit 2 # in seconds > nss_base_passwd ou=People,dc=mycompany,dc=com > nss_base_shadow ou=People,dc= mycompany,dc=com > nss_base_group ou=Group,dc=mycompany,dc=com > ssl on > tls_checkpeer yes > tls_cacert /etc/mycompany/tls/mycompany_ca.cert > tls_cert /etc/mycompany/tls/client.cert > tls_key /etc/mycompany/tls/client.key > nss_reconnect_tries 1 > nss_reconnect_sleeptime 1 # in seconds > nss_reconnect_maxsleeptime 1 # in seconds > nss_reconnect_maxconntries 1 > nss_initgroups_ignoreusers > backup,bin,bind,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,proxy,root,sshd,sync,sys,syslog,uucp,www-data,zabbix > > */etc/pam.d/postgresql:* > auth sufficient pam_ldap.so try_first_pass ignore_authinfo_unavail > auth requisite pam_deny.so > > > *$ ls -lh /etc/ldap/ldap.conf* > lrwxrwxrwx 1 root root 14 Mar 22 10:31 /etc/ldap/ldap.conf -> > /etc/ldap.conf > > > Can anyone help me out or point out how to increase debug information? > > According to: http://linux.die.net/man/5/pam_ldap > > *debug*This option is recognized by *pam_ldap* but is presently *ignored*. > > Thanks in advance, > > -- > Diogo Kiss > E-mail : diogok...@gmail.com > Tel.: +45 2834 1111 > GTalk: diogok...@gmail.com > MSN: diogok...@gmail.com > Y!: diogokiss >
