'Re: [pamldap] Issues while authenticating a user over openLDAP using PAM_ldap'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] Issues while authenticating a user over openLDAP using PAM_ldap
From:       Patrick Dung <patrick_dkt () yahoo ! com ! hk>
Date:       2007-08-10 3:08:31
Message-ID: 429118.72124.qm () web54301 ! mail ! re2 ! yahoo ! com
[Download RAW message or body]

--- Noah <admin2@enabled.com> wrote:

> running FreeBSD 6.2 Stable
> 
> we have openLDAP installed on a server called access1.  Users on
> access1 
> appear to not be able to ssh to access1.  The ssh authentication
> method 
> uses PAM ldap.  PAM_ldap reports "Invalid credentials" in
> /var/log/messages
> 
> We have another server called access2 that authenticates to the the
> ldap 
> server running on access1.  those users log in via ssh without issue
> on 
> access2.
> 
> I am trying to track down what is broken.  I am not even sure how to 
> receive verbose logging from PAM and/or PAM_ldap.  Any assistance is 
> much appreciated.
> 
> 
> 
> 
> Aug  9 10:17:42 access1 sshd[91878]: pam_ldap: error trying to bind
> as 
> user "cn=Test User,cn=people,dc=blah,dc=blah,dc=com" (Invalid
> credentials)
> 
> related rc.conf lines on access1:
> slapd_enable="YES"
> slapd_flags='-h "ldapi:///var/run/openldap/ldapi/ ldap://0.0.0.0/" -f
> 
> /usr/local/etc/openldap/slapd.conf'
> slapd_sockets="/var/run/openldap/ldapi"
> sshd_enable="YES"
> sshd_program="/usr/local/sbin/sshd"
> 
> 
> access1# cat /etc/pam.d/ldap
> # debug
> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> debug
> # debug
> # PAM configuration for the "sshd" service debug
> # debug
> 
> # auth debug
> 
> auth            sufficient      /usr/local/lib/pam_ldap.so     
> no_warn 
> try_first_pass debug
> auth            required        pam_nologin.so          no_warn debug
> auth            sufficient      pam_opie.so             no_warn 
> no_fake_prompts debug
> auth            requisite       pam_opieaccess.so       no_warn 
> allow_local debug
> #auth           sufficient      pam_krb5.so             no_warn 
> try_first_pass debug
> #auth           sufficient      pam_ssh.so              no_warn 
> try_first_pass debug
> auth            required        pam_unix.so             no_warn 
> try_first_pass debug
> 
> # account debug
> #account        required        pam_krb5.so debug
> account         required        pam_login_access.so debug
> account         required        pam_unix.so debug
> 
> # session debug
> #session        optional        pam_ssh.so debug
> session         required        /usr/local/lib/pam_mkhomedir.so
> #session         required        /usr/local/lib/pam_mkhomedir.so 
> skel=/etc/skel/ umask=0077 debug
> session         required        pam_permit.so debug
> 
> # password debug
> #password       sufficient      pam_krb5.so             no_warn 
> try_first_pass debug
> password        required        pam_unix.so             no_warn 
> try_first_pass debug
> 
> 
> access1
> [noah@access1 ~]$ pkg_info | grep pam
> checkpassword-pam-0.99 Implementation of checkpassword authentication
> 
> program
> nagios-spamd-plugin-1.4 Nagios plugin for checking SpamAssassins
> spamd
> p5-Mail-SpamAssassin-3.2.1_1 A highly efficient mail filter for 
> identifying spam
> pam_ldap-1.8.2      A pam module for authenticating with LDAP
> pam_mkhomedir-0.1   Create HOME with a PAM module on demand
> pamtester-0.1.2     A command line pam authentication tester
> razor-agents-2.84   A distributed, collaborative, spam detection and 
> filtering
> [noah@access1 ~]$ pkg_info | grep ldap
> ldapsh-2.00_2,1     Interactive shell used to administer ldap
> directories
> nss_ldap-1.255      RFC 2307 NSS module
> openldap-client-2.3.37 Open source LDAP client implementation
> openldap-server-2.3.37 Open source LDAP server implementation
> p5-perl-ldap-0.34   A Client interface to LDAP servers
> pam_ldap-1.8.2      A pam module for authenticating with LDAP
> php5-ldap-5.2.3_1   The ldap shared extension for php
> [noah@access1 ~]$ pkg_info | grep nss
> nss-3.11.7          Libraries to support development of
> security-enabled 
> applic
> nss_ldap-1.255      RFC 2307 NSS module
> openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
> openssl-0.9.8e_1    SSL and crypto library
> php5-openssl-5.2.3_1 The openssl shared extension for php
> py25-openssl-0.6    Python interface to the OpenSSL library
> [noah@access1 ~]$
> 
> 
> access2 files
> [noah@access2 ~]$ pkg_info | grep pam
> pam_ldap-1.8.2      A pam module for authenticating with LDAP
> pam_mkhomedir-0.1   Create HOME with a PAM module on demand
> pamtester-0.1.2     A command line pam authentication tester
> [noah@access2 ~]$ pkg_info | grep ldap
> nss_ldap-1.255      RFC 2307 NSS module
> openldap-client-2.3.37 Open source LDAP client implementation
> openldap-server-2.3.37 Open source LDAP server implementation
> pam_ldap-1.8.2      A pam module for authenticating with LDAP
> [noah@access2 ~]$ pkg_info | grep nss
> nss_ldap-1.255      RFC 2307 NSS module
> openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
> [noah@access2 ~]$
> 
> 
> 

Hello

Aug  9 10:17:42 access1 sshd[91878]: pam_ldap: error trying to bind as 
user "cn=Test User,cn=people,dc=blah,dc=blah,dc=com" (Invalid
credentials)

I think pam_ldap (act as a client) is trying to bind to the ldap
server.
But it has the credentials problem.
Please check that the binddn username/password used by pam_ldap is able
to bind to the ldap server first (can use ldapsearch to try)

Regards
Patrick



       
____________________________________________________________________________________
Be a better Heartthrob. Get better relationship answers from someone who knows. \
Yahoo! Answers - Check it out.  http://answers.yahoo.com/dir/?link=list&sid=396545433


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic