[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: Re: [pamldap] Issues while authenticating a user over openLDAP using PAM_ldap
From: Patrick Dung <patrick_dkt () yahoo ! com ! hk>
Date: 2007-08-10 3:08:31
Message-ID: 429118.72124.qm () web54301 ! mail ! re2 ! yahoo ! com
[Download RAW message or body]
--- Noah <admin2@enabled.com> wrote:
> running FreeBSD 6.2 Stable
>
> we have openLDAP installed on a server called access1. Users on
> access1
> appear to not be able to ssh to access1. The ssh authentication
> method
> uses PAM ldap. PAM_ldap reports "Invalid credentials" in
> /var/log/messages
>
> We have another server called access2 that authenticates to the the
> ldap
> server running on access1. those users log in via ssh without issue
> on
> access2.
>
> I am trying to track down what is broken. I am not even sure how to
> receive verbose logging from PAM and/or PAM_ldap. Any assistance is
> much appreciated.
>
>
>
>
> Aug 9 10:17:42 access1 sshd[91878]: pam_ldap: error trying to bind
> as
> user "cn=Test User,cn=people,dc=blah,dc=blah,dc=com" (Invalid
> credentials)
>
> related rc.conf lines on access1:
> slapd_enable="YES"
> slapd_flags='-h "ldapi:///var/run/openldap/ldapi/ ldap://0.0.0.0/" -f
>
> /usr/local/etc/openldap/slapd.conf'
> slapd_sockets="/var/run/openldap/ldapi"
> sshd_enable="YES"
> sshd_program="/usr/local/sbin/sshd"
>
>
> access1# cat /etc/pam.d/ldap
> # debug
> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> debug
> # debug
> # PAM configuration for the "sshd" service debug
> # debug
>
> # auth debug
>
> auth sufficient /usr/local/lib/pam_ldap.so
> no_warn
> try_first_pass debug
> auth required pam_nologin.so no_warn debug
> auth sufficient pam_opie.so no_warn
> no_fake_prompts debug
> auth requisite pam_opieaccess.so no_warn
> allow_local debug
> #auth sufficient pam_krb5.so no_warn
> try_first_pass debug
> #auth sufficient pam_ssh.so no_warn
> try_first_pass debug
> auth required pam_unix.so no_warn
> try_first_pass debug
>
> # account debug
> #account required pam_krb5.so debug
> account required pam_login_access.so debug
> account required pam_unix.so debug
>
> # session debug
> #session optional pam_ssh.so debug
> session required /usr/local/lib/pam_mkhomedir.so
> #session required /usr/local/lib/pam_mkhomedir.so
> skel=/etc/skel/ umask=0077 debug
> session required pam_permit.so debug
>
> # password debug
> #password sufficient pam_krb5.so no_warn
> try_first_pass debug
> password required pam_unix.so no_warn
> try_first_pass debug
>
>
> access1
> [noah@access1 ~]$ pkg_info | grep pam
> checkpassword-pam-0.99 Implementation of checkpassword authentication
>
> program
> nagios-spamd-plugin-1.4 Nagios plugin for checking SpamAssassins
> spamd
> p5-Mail-SpamAssassin-3.2.1_1 A highly efficient mail filter for
> identifying spam
> pam_ldap-1.8.2 A pam module for authenticating with LDAP
> pam_mkhomedir-0.1 Create HOME with a PAM module on demand
> pamtester-0.1.2 A command line pam authentication tester
> razor-agents-2.84 A distributed, collaborative, spam detection and
> filtering
> [noah@access1 ~]$ pkg_info | grep ldap
> ldapsh-2.00_2,1 Interactive shell used to administer ldap
> directories
> nss_ldap-1.255 RFC 2307 NSS module
> openldap-client-2.3.37 Open source LDAP client implementation
> openldap-server-2.3.37 Open source LDAP server implementation
> p5-perl-ldap-0.34 A Client interface to LDAP servers
> pam_ldap-1.8.2 A pam module for authenticating with LDAP
> php5-ldap-5.2.3_1 The ldap shared extension for php
> [noah@access1 ~]$ pkg_info | grep nss
> nss-3.11.7 Libraries to support development of
> security-enabled
> applic
> nss_ldap-1.255 RFC 2307 NSS module
> openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
> openssl-0.9.8e_1 SSL and crypto library
> php5-openssl-5.2.3_1 The openssl shared extension for php
> py25-openssl-0.6 Python interface to the OpenSSL library
> [noah@access1 ~]$
>
>
> access2 files
> [noah@access2 ~]$ pkg_info | grep pam
> pam_ldap-1.8.2 A pam module for authenticating with LDAP
> pam_mkhomedir-0.1 Create HOME with a PAM module on demand
> pamtester-0.1.2 A command line pam authentication tester
> [noah@access2 ~]$ pkg_info | grep ldap
> nss_ldap-1.255 RFC 2307 NSS module
> openldap-client-2.3.37 Open source LDAP client implementation
> openldap-server-2.3.37 Open source LDAP server implementation
> pam_ldap-1.8.2 A pam module for authenticating with LDAP
> [noah@access2 ~]$ pkg_info | grep nss
> nss_ldap-1.255 RFC 2307 NSS module
> openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
> [noah@access2 ~]$
>
>
>
Hello
Aug 9 10:17:42 access1 sshd[91878]: pam_ldap: error trying to bind as
user "cn=Test User,cn=people,dc=blah,dc=blah,dc=com" (Invalid
credentials)
I think pam_ldap (act as a client) is trying to bind to the ldap
server.
But it has the credentials problem.
Please check that the binddn username/password used by pam_ldap is able
to bind to the ldap server first (can use ldapsearch to try)
Regards
Patrick
____________________________________________________________________________________
Be a better Heartthrob. Get better relationship answers from someone who knows. \
Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545433
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic