[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: =?UTF-8?Q?[pamldap]_Sign_into_chat_Offline=09Alfre?= =?UTF-8?Q?do_Aguirre_Offline=09Alvaro_Mart=C3=A
From: quiqueldap <enriqueoctavio () gmail ! com>
Date: 2012-10-05 19:18:37
Message-ID: 34519029.post () talk ! nabble ! com
[Download RAW message or body]
Hi pam_ldap guys:
I've a strange problem here related to Centos5.7 and Centos5.8 behaving
differently (with same configuration) authenticating against AD.
I have the same "ldap-related software" installed on both boxes (nss_ldap,
openldap and openldap-clients), and I have the same ldap-related
configuration also on both boxes (/etc/nsswitch.conf,
/etc/openldap/ldap.conf, /etc/pam.d/system-auth-ac, /etc/nscd.conf,
etc/sysconfig/authconfig, and /etc/ldap.conf ). This configuration files are
managed by puppet so I can be completely sure that the configuration on both
hosts is the same.
I'm able to log into the Centos5.7 without problems, and the LDAP
authentication dialogue for a successful login attempt for my user
eecheverria is as follows (complete at the end of the mail).
Basically, the ldap client ask for the following attributes:
AttributeDescription: sAMAccountName
AttributeDescription: userPassword
AttributeDescription: uidNumber
AttributeDescription: gidNumber
AttributeDescription: cn
AttributeDescription: unixHomeDirectory
AttributeDescription: loginShell
AttributeDescription: gecos
AttributeDescription: description
AttributeDescription: objectClass
The AD server provides a subset of this attribute list:
PartialAttributeList item objectClass
PartialAttributeList item cn
PartialAttributeList item sAMAccountName
PartialAttributeList item uidNumber
PartialAttributeList item gidNumber
PartialAttributeList item unixHomeDirectory
PartialAttributeList item loginShell
After that the ldap client performs another ldapsearch with 0 Attributes
request, and AD server provides al 37 attributes it has defined for that
user:
PartialAttributeList item objectClass
PartialAttributeList item cn
PartialAttributeList item sn
PartialAttributeList item givenName
PartialAttributeList item distinguishedName
PartialAttributeList item instanceType
PartialAttributeList item whenCreated
PartialAttributeList item whenChanged
PartialAttributeList item displayName
PartialAttributeList item uSNCreated
PartialAttributeList item memberOf
PartialAttributeList item uSNChanged
PartialAttributeList item name
PartialAttributeList item objectGUID
PartialAttributeList item userAccountControl
PartialAttributeList item badPwdCount
PartialAttributeList item codePage
PartialAttributeList item countryCode
PartialAttributeList item badPasswordTime
PartialAttributeList item lastLogoff
PartialAttributeList item lastLogon
PartialAttributeList item pwdLastSet
PartialAttributeList item primaryGroupID
PartialAttributeList item objectSid
PartialAttributeList item accountExpires
PartialAttributeList item logonCount
PartialAttributeList item sAMAccountName
PartialAttributeList item sAMAccountType
PartialAttributeList item userPrincipalName
PartialAttributeList item objectCategory
PartialAttributeList item dSCorePropagationData
PartialAttributeList item lastLogonTimestamp
PartialAttributeList item mail
PartialAttributeList item uidNumber
PartialAttributeList item gidNumber
PartialAttributeList item unixHomeDirectory
PartialAttributeList item loginShell
After that, ldap client binds as the eecheverria user, the bind resques
succeed, and so auth suceed, being able to log into the box.
On centos5.8 I have a completely different behavior (complete dialogue at
end of the mail):
Ldap client start asking for the same set of attributes that the Centos5.7
one:
AttributeDescription: sAMAccountName
AttributeDescription: userPassword
AttributeDescription: uidNumber
AttributeDescription: gidNumber
AttributeDescription: cn
AttributeDescription: unixHomeDirectory
AttributeDescription: loginShell
AttributeDescription: gecos
AttributeDescription: description
AttributeDescription: objectClass
AD server provides the same subset of that attributes list that provided to
the same searchRequest for centos5.7:
PartialAttributeList item objectClass
PartialAttributeList item cn
PartialAttributeList item sAMAccountName
PartialAttributeList item uidNumber
PartialAttributeList item gidNumber
PartialAttributeList item unixHomeDirectory
PartialAttributeList item loginShell
HERE COMES THE DIFFERENCE IN BEHAVIOR BETWEEN CENTOS5.7 AND CENTOS5.8
!!!!!!!!!!!!!!!!!!!
Client ldap, instead of performing a search with 0 attributes (as Centos5.7
did), it performs a new searchRequest with the following 9 Attributes:
AttributeDescription: sAMAccountName
AttributeDescription: userPassword
AttributeDescription: pwdLastSet
AttributeDescription: shadowMax
AttributeDescription: shadowMin
AttributeDescription: shadowWarning
AttributeDescription: shadowInactive
AttributeDescription: accountExpires
AttributeDescription: shadowFlag
AD server responds with only 3 of the requested attributes:
PartialAttributeList item pwdLastSet
PartialAttributeList item sAMAccountName
PartialAttributeList item accountExpires
This last SearchRequest/searchResEntry couple is done 3 times more and
nothing more happens.
So, my questions are :
1.- What can force the Centos5.8 ldap-client to ask for this set of
attributes that Centos5.7 didn't care about (sAMAccountName, userPassword,
pwdLastSet, shadowMax, shadowMin, shadowWarning, shadowInactive,
accountExpires, shadowFlag) ?
2.- is there any way of configuring the ldap-client (I believe it's
pam_ldap) for the attributes to take care of ? or is this determined at
compile time ?
3.- How can I configure my Centos5.8 ldap-client for just authenticating
based on the sAMAccountName and userPassword, taking uidNumber, uid,
gidNumber, loginShell, unixHomeDirectory, sAMAccountName ones and just give
me a login shell as Centos5.7 client-ldap does ?
4.- I guess Centos5.8 asking for the (sAMAccountName, userPassword,
pwdLastSet, shadowMax, shadowMin, shadowWarning, shadowInactive,
accountExpires, shadowFlag) attributes is a PAM account management type
related issue. I've checked all pam.d files and noticed no difference
between my Centos5.7 and Centos5.8 box. I'm I in the right direction ?
Somethiong more I can check ?
5.- This might be a configuration problem of some file I might be
missconfiguresd somewhere? Or this may be a compiling problem (perhaps
nss_ldap-253-49.el5 rpm are but differently for Cenrtos5.7 and Centos5.8)?
Obviously I don't pretend you to handle/solve problems related to Centos
releases. I just mention the Centos releases involved here in case some of
you have faced something similar in the past. Anyway, despite the Centos
related details, I think this might be a pam_ldap related issue, and that's
why I'm asking on this list.
Hope that someone can help me with this. Thanks in advance, regards: Enrique
Echeverria
ADITIONAL INFORMATION:
######################
########################### authconfig ###########################
- I run authconfig on both hosts, taking care that Centos5.8 had the same
configuration of Centos5.7 and nothing changed. Notice that anyway
/etc/sysconfig/authconfig, /etc/ldap.conf, /etc/openldap/ldap.conf,
/etc/nsswitch.conf, /etc/pam.d/system-auth and /etc/pam.d/system-auth-ac
files are already distributed by puppet and though the same at both boxes
################### Software installed on each box ##################
On Centos5.7 box I've installed (ldap related):
nss_ldap-253-49.el5
openldap-2.3.43-25.el5_8.1
python-ldap-2.2.0-2.1
ldapjdk-4.18-2jpp.3.el5
openldap-clients-2.3.43-25.el5_8.1
On Centos5.8 box, I've installe (ldap related):
openldap-2.3.43-25.el5_8.1
openldap-clients-2.3.43-25.el5_8.1
nss_ldap-253-49.el5
################## Configuration files managed by puppet on both boxes (so
the files have the same content on both boxes)##################
/etc/nsswitch.conf
/etc/openldap/ldap.conf
/etc/pam.d/system-auth-ac
/etc/nscd.conf
/etc/sysconfig/authconfig
/etc/ldap.conf
[root@dhcp238 tmp]# cat /etc/nsswitch.conf | grep -v '^#' | grep -v '^$'
passwd: files ldap [NOTFOUND=return]
shadow: files ldap
group: files ldap [NOTFOUND=return]
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
[root@dhcp238 tmp]#
[root@dhcp238 tmp]# cat /etc/openldap/ldap.conf | grep -v '^#' | grep -v
'^$'
SIZELIMIT 12
TIMELIMIT 15
REFERRALS off
uri ldap://ad01.company.lan/
BASE dc=company,dc=lan
TLS_CACERTDIR /etc/openldap/cacerts
[root@dhcp238 tmp]#
[root@dhcp238 tmp]# cat /etc/pam.d/system-auth-ac | grep -v '^#' | grep -v
'^$'
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
[root@dhcp238 tmp]#
[root@dhcp238 tmp]# cat /etc/nscd.conf | grep -v '^#' | grep -v '^$'
server-user nscd
debug-level 0
paranoia no
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
max-db-size passwd 33554432
auto-propagate passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
max-db-size group 33554432
auto-propagate group yes
enable-cache hosts yes
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
max-db-size hosts 33554432
[root@dhcp238 tmp]#
[root@dhcp238 tmp]# cat /etc/sysconfig/authconfig | grep -v '^#' | grep -v
'^$'
USEWINBINDAUTH=no
USEKERBEROS=no
USESYSNETAUTH=no
USEPAMACCESS=no
USEMKHOMEDIR=no
FORCESMARTCARD=no
USESMBAUTH=no
USESMARTCARD=no
USELDAPAUTH=yes
USEPASSWDQC=no
PASSWDALGORITHM=md5
USEWINBIND=no
USESHADOW=yes
USEDB=no
USEHESIOD=no
USELDAP=yes
USELOCAUTHORIZE=no
USECRACKLIB=yes
USENIS=no
FORCELEGACY=yes
[root@dhcp238 tmp]#
[root@dhcp238 tmp]# cat /etc/ldap.conf | grep -v '^#' | grep -v '^$'
base dc=company,dc=lan
uri ldap://ad01.company.lan/
binddn XXXXXXXX
bindpw XXXXXXXX
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_password ad
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute shadowExpire accountExpires
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_initgroups
pam_groupdn cn=unixadmin,ou=company security groups,dc=company,dc=lan
pam_member_attribute member
sslpath /etc/openldap/cacerts
tls_cacertdir /etc/openldap/cacerts
REFERRALS off
[root@dhcp238 tmp]#
################### CentOS release 5.7 (Final) LDAP AUTH DIALOGE
##################
- protocolOp: bindRequest (0)
- protocolOp: bindResponse (1)
- protocolOp: searchRequest (3)
baseObject: dc=company,dc=lan
scope: wholeSubtree (2)
Filter: (&(objectClass=user)(sAMAccountName=eecheverria))
attributes: 10 items
AttributeDescription: sAMAccountName
AttributeDescription: userPassword
AttributeDescription: uidNumber
AttributeDescription: gidNumber
AttributeDescription: cn
AttributeDescription: unixHomeDirectory
AttributeDescription: loginShell
AttributeDescription: gecos
AttributeDescription: description
AttributeDescription: objectClass
- protocolOp: searchResEntry (4)
objectName: CN=Enrique Echeverr\303\255a,OU=company Users,DC=company,DC=lan
PartialAttributeList item objectClass
PartialAttributeList item cn
PartialAttributeList item sAMAccountName
PartialAttributeList item uidNumber
PartialAttributeList item gidNumber
PartialAttributeList item unixHomeDirectory
PartialAttributeList item loginShell
- protocolOp: bindRequest (0)
- protocolOp: bindResponse (1)
- protocolOp: searchRequest (3)
baseObject: dc=company,dc=lan
scope: wholeSubtree (2)
Filter:
(&(&(objectclass=User)(objectclass=User))(sAMAccountName=eecheverria))
attributes: 0 items
-protocolOp: searchResEntry (4)
objectName: CN=Enrique Echeverr\303\255a,OU=company Users,DC=company,DC=lan
PartialAttributeList item objectClass
PartialAttributeList item cn
PartialAttributeList item sn
PartialAttributeList item givenName
PartialAttributeList item distinguishedName
PartialAttributeList item instanceType
PartialAttributeList item whenCreated
PartialAttributeList item whenChanged
PartialAttributeList item displayName
PartialAttributeList item uSNCreated
PartialAttributeList item memberOf
PartialAttributeList item uSNChanged
PartialAttributeList item name
PartialAttributeList item objectGUID
PartialAttributeList item userAccountControl
PartialAttributeList item badPwdCount
PartialAttributeList item codePage
PartialAttributeList item countryCode
PartialAttributeList item badPasswordTime
PartialAttributeList item lastLogoff
PartialAttributeList item lastLogon
PartialAttributeList item pwdLastSet
PartialAttributeList item primaryGroupID
PartialAttributeList item objectSid
PartialAttributeList item accountExpires
PartialAttributeList item logonCount
PartialAttributeList item sAMAccountName
PartialAttributeList item sAMAccountType
PartialAttributeList item userPrincipalName
PartialAttributeList item objectCategory
PartialAttributeList item dSCorePropagationData
PartialAttributeList item lastLogonTimestamp
PartialAttributeList item mail
PartialAttributeList item uidNumber
PartialAttributeList item gidNumber
PartialAttributeList item unixHomeDirectory
PartialAttributeList item loginShell
- protocolOp: bindRequest (0)
name: CN=Enrique Echeverr\303\255a,OU=company Users,DC=company,DC=lan
authentication: simple (0)
- protocolOp: bindResponse (1)
resultCode: success (0)
######################### CentOS release 5.8 (Final) LDAP AUTH DIALOGE
######################
- protocolOp: searchRequest (3)
baseObject: dc=company,dc=lan
scope: wholeSubtree (2)
Filter: (&(objectClass=user)(sAMAccountName=eecheverria))
attributes: 10 items
AttributeDescription: sAMAccountName
AttributeDescription: userPassword
AttributeDescription: uidNumber
AttributeDescription: gidNumber
AttributeDescription: cn
AttributeDescription: unixHomeDirectory
AttributeDescription: loginShell
AttributeDescription: gecos
AttributeDescription: description
AttributeDescription: objectClass
- protocolOp: searchResEntry (4)
objectName: CN=Enrique Echeverr\303\255a,OU=company Users,DC=company,DC=lan
PartialAttributeList item objectClass
PartialAttributeList item cn
PartialAttributeList item sAMAccountName
PartialAttributeList item uidNumber
PartialAttributeList item gidNumber
PartialAttributeList item loginShell
- protocolOp: bindRequest (0)
- protocolOp: bindResponse (1)
- protocolOp: searchRequest (3)
baseObject: dc=company,dc=lan
scope: wholeSubtree (2)
Filter: (&(objectClass=user)(sAMAccountName=eecheverria))
AttributeDescription: sAMAccountName
AttributeDescription: userPassword
AttributeDescription: pwdLastSet
AttributeDescription: shadowMax
AttributeDescription: shadowMin
AttributeDescription: shadowWarning
AttributeDescription: shadowInactive
AttributeDescription: accountExpires
AttributeDescription: shadowFlag
- protocolOp: searchResEntry (4)
objectName: CN=Enrique Echeverr\303\255a,OU=company Users,DC=company,DC=lan
PartialAttributeList item pwdLastSet
PartialAttributeList item sAMAccountName
PartialAttributeList item accountExpires
The last two protoIOP are repeated 3 more times, and nothing more happens…..
--
View this message in context: \
http://old.nabble.com/Sign-into-chat-Offline%09Alfredo-Aguirre-Offline%09Alvaro-Mart%C \
3%ADnez-Google-Talk-Offline%09Ana-Mar%C3%ADa-Stefanutti-Google-Talk-Offline%09Enrique- \
Echeverria-Padre-Offline%09Francisco-Ruffolo-Offline%09Gaston-Larzabal-Offline%09Henry \
-Coubrough-Offline%09Javier-Borca-Offline%09Pablo-Hoffman-GoogleTalk-Offline%09Sebasti \
an-Iglesias-%28Gmail%29---------Move-to-Inbox-----More---1-of-801---Why-this-ad--cPane \
lDirect-Licensing---cPanelDirect.net---Choose-cPanel%2C-Ksplice-and-more-API-Ready.-Fr \
ee-Support-%2B-Install-pam_ldap-searchRequest%27s-attributes%3A-pwdLastSet%2C-shadowMa \
x%2C-shadowMin%2C-shadowWarning%2C-shadowInactive%2C-accountExpires%2C-shadowFlag-tp34519029p34519029.html
Sent from the PAM LDAP mailing list archive at Nabble.com.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic