PAM/Ldap problems

[junky]

Hi,
I'm trying to setup a centralised LDAP server, with clients using it for authentication (all machines are Gentoo). The server running slapd seems to work fine including local authentication via PAM.

I'm now trying to get clients to use the LDAP server for authentication. Using ....
http://www.monkeybox.org.uk/docs/gentoo/ldap.html as guidence.

The clients can succesfully use ldapsearch to query the ldap server. I've made the advised changes to system-auth and nsswitch.conf but PAM seems to ignore these completely when using getent or when attempting to login.

I've added ldap to my USE flags and re-emerged pam_ldap nss_ldap and pam, and rebooted. But still PAM doesn't attempt to use ldap.

Using tcpdump I've monitored the traffic from the client to the server and there isn't a single packet sent from client to server on either of the ldap ports. However there clearly is during an ldapsearch.

I've literaly cut and paste system-auth from the monkeybox.

Has this been seen before ?
Can anybody advise ?
Can I trace PAM ?

Thanks

Junky

[weyhan]

You need to setup /etc/ldap.conf. Both pam and nss uses this file. Even with nsswitch.conf setup correctly, if the ldap server can't be found, it will use the file version of the login credentials.

[junky]

Hi,
Thanks for the response. If there was a problem with /etc/ldap.conf wouldn't this break ldapsearch ? ldapsearch works fine from the client, hence I think it's a problem with PAM.

Cheers

Junky

[weyhan]

Hi,
Thanks for the response. If there was a problem with /etc/ldap.conf wouldn't this break ldapsearch ? ldapsearch works fine from the client, hence I think it's a problem with PAM.

Nope. Because ldapsearch uses /etc/openldap/ldap.conf for it's configuration while pam and nss uses /etc/ldap.conf. Notice there are two configuration file with the same name in different locations.

You are right in that sense that PAM is the problem because PAM is not getting the correct configuration from /etc/ldap.conf

[junky]

Han,
You were right. A bit more tweaking of /etc/ldap.conf now means that getent works ! Thanks for your assistance. Any idea why sshd would ignore it though ?

Thanks

Junky

[weyhan]

Han,
You were right. A bit more tweaking of /etc/ldap.conf now means that getent works ! Thanks for your assistance.

No problem.

Any idea why sshd would ignore it though ?

User authentication is not handle by sshd (at least not with the gentoo default setting) but rather it is using pam to do the authentication. sshd is not really ignoring your ldap server. Problem like yours usually mean that pam can't connect to the ldap server therefore pam fallback to the file base user credentials. Which of course will not find the users that are in the ldap db.

[junky]

Han,
Once again you were spot on !
Due to the problems I was having with /etc/ldap.conf, I backed out the changes I had made to system-auth to ensure I didn't lock my self out of the system. Once I fixed up /etc/ldap.conf and put my ldap version system-auth back in place PAM started working.

Thanks again for all your assitance, it is greatly appreciated.

Junky

[weyhan]

Han,
Once again you were spot on !

That's the result of 2 months of research and trial plus lot's of error.

Due to the problems I was having with /etc/ldap.conf, I backed out the changes I had made to system-auth to ensure I didn't lock my self out of the system. Once I fixed up /etc/ldap.conf and put my ldap version system-auth back in place PAM started working.

Humm... As you have also noted that you could get lock out. Maybe it might be a good idea to leave at least your root account in the regular file base credential along with maybe a few system account and groups. It's very easy to get PAM to authenticate user from the file base version if that user is not found in the ldap version. That way, even when your ldap server is down, you can still login to the system.

Thanks again for all your assitance, it is greatly appreciated.

Glad to, so long as you did not ask me to do your homework.

[Skywacker]

I've been following the http://www.monkeybox.org.uk/docs/gentoo/ldap.html howto as well. I finally got things working in the sense that I can install LDAP, start slapd, migrate data, ldapsearch and find all that data, but getent passwd only returns users from /etc/passwd.

I understand that /etc/ldap.conf is what getent uses. I've copied the example from monkeybox exactly(changing the domain names). I've tried using

Since ldapsearch is working, and it uses /etc/openldap/ldap.conf, I tried mimicking some settings there into /etc/ldap.conf.

I've tried restarted slapd between every change and tail-ing /var/log/messages after each attempt. nothing works, and nothing shows up in the logs.

When slapd is NOT running and I try to ssh in, I get this in the messages log:
Aug 20 11:23:17 b2 sshd[20117]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Aug 20 11:23:17 b2 sshd[20115]: Accepted keyboard-interactive/pam for root from 192.168.0.1 port 13236 ssh2
Aug 20 11:23:17 b2 sshd(pam_unix)[20118]: session opened for user root by root(uid=0)

But if slapd IS running, I get no such complaint, only: b2 slapd[20036]: bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002)

The way I understand it from posts above is ssh relies on pam, pam looks in nsswitch, my nsswitch says to try compat and ldap, it doesn't see the ldap server at all, and checks the password versus /etc/passwd. So when slapd is running, pam CAN contact the LDAP server, but I'm getting no results.

I'll post my relevant config files:

/etc/slapd.conf

Code: Select all

#0penLDAP:pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31
# kurtExp$
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Schema and objectClass definitions
include    /etc/openldap/schema/core.schema
include    /etc/openldap/schema/cosine.schema
include    /etc/openldap/schema/nis.schema
include    /etc/openldap/schema/inetorgperson.schema
#include    /etc/openldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck   on

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org
pidfile    /var/run/openldap/slapd.pid
argsfile   /var/run/openldap/slapd.args

Loglevel   0

# Load dynamic backend modules:
# modulepath   /usr/lib/openldap/openldap
# moduleload   back_ldap.la
# moduleload   back_ldbm.la
# moduleload   back_passwd.la
# moduleload   back_shell.la

# Password Hash
password-hash  {crypt}

# TLS stuff
# Keep the following commented until everything else is working
#
#TLSCertificateFile     /etc/ssl/certs/slapdcert.pem
#TLSCertificateKeyFile  /etc/ssl/certs/slapdkey.pem
#TLSCACertificateFile   /etc/ssl/certs/slapdcert.pem



#######################################################################
# ldbm database definitions
#######################################################################

database ldbm
suffix "dc=cvucluster,dc=localdomain"
#suffix "o=My Organization Name,c=US"

rootdn "cn=Manager,dc=cvucluster,dc=localdomain"
#rootdn "cn=Manager,o=My Organization Name,c=US"

# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw {MD5}Nmf1z1bcJZWVpoSbeGQbsg==
rootpw {MD5}myencyptedpassword==

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/openldap-ldbm

# Indices to maintain
index   objectClass   eq
index   cn            pres,sub,eq
index   sn            pres,sub,eq

## required to support pdb_getsampwnam
#index   uid           pres,sub,eq

## required to support pdb_getsambapwrid()
#index   displayName   pres,sub,eq

## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
index   uidNumber            eq
index   gidNumber            eq
index   memberUid            eq
#index   sambaSID             eq
#index   sambaPrimaryGroupSID eq
#index   sambaDomainName      eq
index   default              sub

# Save the time that the entry gets modified, for database #1
lastmod    on

# Where to store the replica logs for database #1
# replogfile /var/lib/openldap-slurp/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below

# These access lines apply to this database only

access to *
        by dn=''uid=root,ou=People,dc=cvucluster,dc=localdomain'' write
        by dn="cn=Manager,dc=cvucluster,dc=localdomain" write
        by users read
        by anonymous auth
        by * search

#access to attribute=userPassword,gecos,description,sambaLMPassword,sambaNTPasswo
rd
access to attribute=userPassword,gecos,description
        by dn=''cn=Manager,dc=cvucluster.localdomain'' write
        by dn=''uid=root,ou=People,dc=cvucluster,dc=localdomain'' write
        by self write
        by anonymous auth
        by * none

#access to everything for manager
access to *
        by dn="cn=Manager,dc=cvucluster,dc=localdomain" write
        by * read

/etc/openldap.ldap.conf

Code: Select all

BASE            dc=cvucluster, dc=localdomain
TLS_REQCERT  allow
URI ldap://b2.cvucluster.localdomain

/etc/ldap.conf

Code: Select all

host                 127.0.0.1

BASE                 dc=cvucluster,dc=localdomain

URI                     ldap://b2.cvucluster.localdomain

scope                one

pam_filter           objectclass=posixaccount

pam_login_attrubute  uid

pam_member_attribute memberuid
nss_base_passwd      ou=People,dc=cvucluster,dc=localdomain?one
nss_base_shadow      ou=People,dc=cvucluster,dc=localdomain?one
nss_base_group       ou=Group,dc=cvucluster,dc=localdomain?one
nss_hosts            ou=Hosts,dc=cvucluster,dc=localdomain?one
pam_password         exop

# if this is the /etc/ldap.conf that is local to the server,
# i.e not a client machine then
# the following can stay commented, else uncomment
#ssl start_tls
#ssl on
#suffix  "dc=cvucluster,dc=localdomain"

/etc/conf.d/slapd

Code: Select all

#OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

/etc/pam.d/system-auth

Code: Select all

#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so
account    sufficient   /lib/security/pam_ldap.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_ldap.so use_authtok
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_ldap.so
session    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=076

/etc/nsswitch.conf

Code: Select all

passwd:      compat ldap
shadow:      compat ldap
group:       compat ldap

hosts:       files dns ldap

and like I said ldapsearch returns results from the ldap server whereas getent does not.

And finally, I emerged openldap pam_ldap nss_ldap migrationtools with these USE flags:

Code: Select all

USE="-kde -gnome pam -qt -qtmt -quicktime tcpd -X php mysql openssl f77 ldap ssh tls ssl crpyt "

Any clues? Thanks in advance!!

-Sky

[Skywacker]

I changed the logging level to 2048 and now see this in /var/log/messages when I try to ssh in:

pam_ldap: ldap_simple_bind Can't contact LDAP server
Aug 20 11:55:54 b2 sshd[20486]: Accepted keyboard-interactive/pam for root from 192.168.0.1 port 9978 ssh2
Aug 20 11:55:54 b2 sshd(pam_unix)[20491]: session opened for user root by root(uid=0)

[weyhan]

/etc/ldap.conf

Code: Select all

host                 127.0.0.1
...
URI                     ldap://b2.cvucluster.localdomain
...

Here is your problem. You only need one of the above.