pam ssh authentication via ldap
krad
kraduk at gmail.com
Sun Feb 27 11:10:09 UTC 2011
On 27 February 2011 11:05, krad <kraduk at gmail.com> wrote:
> On 26 February 2011 20:01, Tim Dunphy <bluethundr at gmail.com> wrote:
>> Hey list,
>>
>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and
>> nsswitch file because I thought they might be helpful in dispensing
>> advice as to what is going on:
>>
>> uri ldap://LBSD2.summitnjhome.com
>> base ou=staff,ou=Group,dc=summitnjhome,dc=com
>> sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
>> binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
>> bindpw secret
>> scope sub
>> pam_password exop
>> nss_base_passwd dc=summitnjhome,dc=com
>> nss_base_shadow dc=summitnjhome,dc=com
>> nss_base_group dc=summitnjhome,dc=com
>> nss_base_sudo dc=summitnjhome,dc=com
>>
>>
>> # nsswitch.conf(5) - name service switch configuration file
>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
>> kensmith Exp $
>> #
>> passwd: files ldap
>> passwd_compat: files ldap
>> group: files ldap
>> group_compat: nis
>> sudoers: ldap
>> hosts: files dns
>> networks: files
>> shells: files
>> services: compat
>> services_compat: nis
>> protocols: files
>> rpc: files
>>
>>
>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
>>> Hello List!!
>>>
>>> I have an OpenLDAP 2.4 server functioning very nicely that
>>> authenticates a network of (mostly virtual) centos 5.5 machines.
>>>
>>> But at the moment I am attempting to setup pam authentication for ssh
>>> via LDAP and having some difficulty.
>>>
>>> My /etc/pam.d/sshd file seems to be setup logically and correctly:
>>>
>>> # PAM configuration for the "sshd" service
>>> #
>>>
>>> # auth
>>> auth sufficient pam_opie.so no_warn no_fake_prompts
>>> auth requisite pam_opieaccess.so no_warn allow_local
>>> #auth sufficient pam_krb5.so no_warn try_first_pass
>>> #auth sufficient pam_ssh.so no_warn try_first_pass
>>> auth required pam_ldap.so
>>> #auth required pam_unix.so no_warn try_first_pass
>>>
>>> # account
>>> account required pam_nologin.so
>>> #account required pam_krb5.so
>>> account required pam_login_access.so
>>> account required pam_ldap.so
>>> #account required pam_unix.so
>>>
>>> # session
>>> #session optional pam_ssh.so
>>> session sufficient pam_ldap.so
>>> session required pam_permit.so
>>>
>>> # password
>>> #password sufficient pam_krb5.so no_warn try_first_pass
>>> password required pam_ldap.so
>>> #password required pam_unix.so no_warn try_first_pass
>>>
>>>
>>> And if I'm reading the logs correctly LDAP is searching for and
>>> finding the account information when I am making the login attempt:
>>>
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH
>>> base="dc=summitnjhome,dc=com" scope=2 deref=0
>>> filter="(&(objectClass=posixAccount)(uidNumber=1001
>>> ))"
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid
>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>>> description objectCla
>>> ss
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: OR
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>> first=0 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26
>>> first=106 last=137
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>> first=0 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0
>>> first=106 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>> first=106 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>> first=0 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>> first=1 last=0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT
>>> tag=101 err=0 nentries=0 text=
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
>>> Feb 26 19:52:54 LBSD2 slapd[54891]:
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
>>> error=-2 id=34715, closing.
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
>>> conn=34715 sd=212 for close
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>> active_threads=0 tvp=NULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection lost)
>>>
>>>
>>> But logins fail every time. Could someone offer an opinion as to what
>>> may be going on to prevent logging in via pam/sshd and LDAP?
>>>
>>> Thanks in advance!
>>> Tim
>>>
>>> --
>>> GPG me!!
>>>
>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>
>>
>>
>>
>> --
>> GPG me!!
>>
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>
>
>
>
> these are my files and are from a working setup
>
> # cat /usr/local/etc/ldap.conf
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> BASE dc=XXX,dc=net
> URI ldap://XXX.net
>
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
>
> ssl start_tls
> tls_cacert /usr/local/etc/openldap/ssl/cert.crt
>
> pam_login_attribute uid
>
> sudoers_base ou=sudoers,ou=services,dc=XXX,dc=net
> bind_timelimit 1
> timelimit 1
> bind_policy soft
>
> nss_initgroups_ignoreusers root,slapd,krad
>
>
> # ls -l /usr/local/etc/nss_ldap.conf
> lrwxr-xr-x 1 root wheel 24 Jan 16 22:31
> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
>
> # nsswitch.conf
>
>
> group: cache files ldap [notfound=return]
> passwd: cache files ldap [notfound=return]
>
> these packages are installs
>
> nss_ldap-1.265_4 RFC 2307 NSS module
> openldap-client-2.4.23 Open source LDAP client implementation
> openldap-server-2.4.23 Open source LDAP server implementation
> pam_ldap-1.8.6 A pam module for authenticating with LDAP
>
and my slapd.conf
security ssf=128
TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
#include /usr/local/etc/openldap/schema/ldapns.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/sudo.schema
logfile /var/log/slapd.log
loglevel stats
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_bdb
database bdb
directory /var/db/openldap-data
#index uid pres,eq
index cn,sn,uid pres,eq,sub
index objectClass eq
#index sudoUser
suffix "dc=XXX,dc=net"
rootdn "cn=krad,dc=XXX,dc=net"
rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=krad,dc=XXX,dc=net" write
by * none
access to *
by self write
by dn.base="cn=krad,dc=XXX,dc=net" write
by * read
More information about the freebsd-questions
mailing list