[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: Re: [pamldap] getting password but still cant pop
From: Jim Lang <jim () guscreek ! com>
Date: 2001-01-09 22:15:34
[Download RAW message or body]
one step at a time, I'm getting there.
My problems with ldap.conf detailed below related to the fact
the the library was still loaded in memory -- so
it wasnt rereading ldap.conf -- by stopping and starting the
name service cache daemon I was able to get it to take
the changes I put in ldap.conf
Now, even a normal user can su to a user that exists in ldap but not passwd:
bash-2.03$ su testuser
Password:
$ id
uid=150(testuser) gid=150
$
So I guess pam_ldap is doing what is should.
if that were what we wanted, I'd be done.
But we actually wont have these users logging in anyway,
just using sendmail and pop. But pop is still doing
the same thing:
[root@underhill /]# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK POP3 localhost v2000.68 server ready
user testuser
+OK User name accepted, password please
pass pass123
-ERR Bad login
quit
+OK Sayonara
Connection closed by foreign host.
log entries are a little different though:
[08/Jan/2001:13:18:59 -0700] conn=79845 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[08/Jan/2001:13:18:59 -0700] conn=79846 fd=72 slot=72 connection from 12.32.34.2 to \
192.168.100.5 [08/Jan/2001:13:18:59 -0700] conn=79846 op=0 BIND dn="" method=128 \
version=3 [08/Jan/2001:13:18:59 -0700] conn=79846 op=0 RESULT err=0 tag=97 nentries=0 \
etime=0 [08/Jan/2001:13:18:59 -0700] conn=79846 op=1 SRCH base="o=blackfoot.net" \
scope=2 filter="(&(objectclas s=posixAccount)(uid=testuser))"
[08/Jan/2001:13:18:59 -0700] conn=79846 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[08/Jan/2001:13:18:59 -0700] conn=79845 op=-1 fd=48 closed - B1
[08/Jan/2001:13:18:59 -0700] conn=79847 fd=48 slot=48 connection from 12.32.34.2 to \
192.168.100.5 [08/Jan/2001:13:18:59 -0700] conn=79847 op=0 BIND dn="" method=128 \
version=3 [08/Jan/2001:13:18:59 -0700] conn=79847 op=0 RESULT err=0 tag=97 nentries=0 \
etime=0 [08/Jan/2001:13:18:59 -0700] conn=79847 op=1 SRCH base="o=blackfoot.net" \
scope=2 filter="(&(objectclas s=shadowAccount)(uid=testuser))"
Although this may not strictly be pam_ldap issue at this point, does anyone
here know if I have to build my pop daemon (U of W) with a special
EXTRAAUTHENTICATORS setting? If so, what should it be? Their docs dont
mention ldap at all...
tia
Jim
At 02:04 PM 1/7/01 -0700, Jim Lang wrote:
> I was sure these shadowAccount attribs would solve my problem, but
> alas, no. Details below, and thanks for your
> continued help and advice.
>
> At 08:55 PM 1/6/01 +1100, you wrote:
> > Earlier today, Jim Lang wrote:
> >
> > > Or do I need to set some attributes for shadowAccount? I couldnt tell from
> > > the documentation what they were for, or what I would set them to.
> >
> > Even though NSS has only a single database view of both the /etc/passwd and
> > /etc/shadow files (called "passwd" - this is the case for Solaris, though I've
> > home-dir -> homeDirectory
> > login-shell -> loginShell
> >
> > /etc/shadow -> shadowAccount
> > username -> uid
> > password -> userPassword
> > lastchg -> shadowLastChange
> > min -> shadowMin
> > max -> shadowMax
> > warn -> shadowWarning
> > inactive -> shadowInactive
> > expire -> shadowExpire
> > flag -> shadowFlag
> >
> > See the man pages for /etc/passwd and /etc/shadow on your system for more
> > details. RFC 2307 lists the mandatory/optional attributetypes.
> >
>
>
> OK, I added the shadowAccount attributes:
>
>
> [root@ldap bin]# ./ldapsearch -b o=example.net "uid=testuser"
> dn: uid=testuser,o=example.net
> objectclass: top
> objectclass: person
> objectclass: OrganizationalPerson
> objectclass: InetOrgPerson
> objectclass: posixAccount
> objectclass: shadowAccount
> objectclass: mailRecipient
> objectclass: nsLicenseUser
> uid: testuser
> cn: test user
> sn: user
> givenname: test
> uidnumber: 150
> gidnumber: 150
> homedirectory: /
> shadowlastchange: 11250
> shadowmin: 0
> shadowmax: 99999
> shadowwarning: 7
> shadowinactive: -1
> shadowexpire: -1
> shadowflag: 1
> nslicensedfor: mail
> mail: testuser@example.net
> mailhost: mail1.example.net
>
> same result, though.
>
>
> > > +OK User name accepted, password please
> > > pass pass123
> > > -ERR Bad login
> >
> > Was there any clue in the directory server's logs (such as a user not found
> > error or something)? The first thing to do when debugging pam_ldap is to use
> > the command line tools (ldapsearch) to perform the same searches the module
> > would perform, to see if they work directly against the directory server.
> >
>
> As you can see above, ldapsearch returns what it should - can ldapsearch be used
> to find the password, though?
>
> Here are the log entries from the successful pop against the Netscape Messaging \
> Server:
> [06/Jan/2001:12:42:29 -0700] conn=50297 op=0 BIND dn="" method=128 version=2
> [06/Jan/2001:12:42:29 -0700] conn=50297 op=0 RESULT err=0 tag=97 nentries=0 etime=0
> [06/Jan/2001:12:42:29 -0700] conn=50297 op=1 SRCH base="o=example.net" scope=2 \
> filter="(&(uid=testuser)(mailhost=mail1.blackf oot.net))"
> [06/Jan/2001:12:42:29 -0700] conn=50297 op=1 RESULT err=0 tag=101 nentries=1 \
> etime=0 [06/Jan/2001:12:42:29 -0700] conn=50297 op=2 SRCH base="o=example.net" \
> scope=2 filter="(&(uid=testuser)(mailhost=mail1.blackf oot.net))"
> [06/Jan/2001:12:42:29 -0700] conn=50297 op=2 RESULT err=0 tag=101 nentries=1 \
> etime=0 [06/Jan/2001:12:42:29 -0700] conn=50298 fd=43 slot=43 connection from \
> 192.168.100.2 to 192.168.100.5 [06/Jan/2001:12:42:29 -0700] conn=50298 op=0 BIND \
> dn="" method=128 version=2 [06/Jan/2001:12:42:29 -0700] conn=50298 op=0 RESULT \
> err=0 tag=97 nentries=0 etime=0 [06/Jan/2001:12:42:29 -0700] conn=50298 op=1 SRCH \
> base="o=example.net" scope=2 filter="(uid=testuser)" [06/Jan/2001:12:42:29 -0700] \
> conn=50298 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [06/Jan/2001:12:42:29 \
> -0700] conn=50298 op=2 BIND dn="uid=testuser,o=example.net" method=128 version=2 \
> [06/Jan/2001:12:42:29 -0700] conn=50298 op=2 RESULT err=0 tag=97 nentries=0 etime=0 \
> [06/Jan/2001:12:42:29 -0700] conn=50298 op=3 UNBIND [06/Jan/2001:12:42:29 -0700] \
> conn=50298 op=3 fd=43 closed - U1
> Here are the log entries from the unsuccessful pop against localhost:
>
>
> [06/Jan/2001:12:43:29 -0700] conn=50407 fd=43 slot=43 connection from 12.32.34.2 to \
> 192.168.100.5 [06/Jan/2001:12:43:29 -0700] conn=50407 op=0 BIND dn="" method=128 \
> version=3 [06/Jan/2001:12:43:29 -0700] conn=50407 op=0 RESULT err=0 tag=97 \
> nentries=0 etime=0 [06/Jan/2001:12:43:29 -0700] conn=50407 op=1 SRCH \
> base="o=example.net" scope=2 filter="(&(objectclass=shadowAccount)(uid=testuser))" \
> [06/Jan/2001:12:43:29 -0700] conn=50407 op=1 RESULT err=0 tag=101 nentries=1 \
> etime=0
> (It is because I saw shadowAccount in the log that I put it in ldap.conf)
>
> Here is the log entry from the successful su:
>
> [06/Jan/2001:13:10:59 -0700] conn=349 op=242 SRCH base="o=example.net" scope=2 \
> filter="(&(objectclass=posixAccount)(uid=testuser))" [06/Jan/2001:13:10:59 -0700] \
> conn=349 op=242 RESULT err=0 tag=101 nentries=1 etime=0
> (I note that here it uses posixAccount - also, it is not a new connection each \
> time, but seems to keep a persistant connection open - I dont know the \
> significance of that)
> Here is something else that I dont understand - I tried changing ldap.conf \
> different ways to see what I would see in the log, and it made no difference -- \
> /etc/ldap.conf doesnt seem to be being used - I can change the host entry to a \
> nonexistent host, or one that is not running ldap, or even delete /etc/ldap.conf \
> altogether, and the behavior is exactly the same! I even modified pam_ldap.c \
> thusly:
> /* if (configFile == NULL) */
> configFile = "/etc/ldap.conf";
>
> before recompiling and reinstalling just to be sure there was no chance it wasnt \
> trying to use some other file (also downloaded and used pam_ldap-86) - does \
> pam_ldap read it at compile time instead of runtime?
>
>
>
> > > [root@mail2 /]# ldapsearch -b o=example.net "uid=testuser"
> > > uid=testuser,o=example.net
> >
> > A quick glance says the user object should be fine (though I didn't put any
> > effort into checking the "mailRecipient" or "nsLicenseUser" OC's or
> > attributetypes).
> >
> > > # Filter to AND with uid=%s
> > > #pam_filter objectclass=shadowAccount
> >
> > If anything, this one probably makes more sense:
> >
> > pam_filter objectClass=posixAccount
> >
>
>
> As I said, it doesnt seem to matter what I put in ldap.conf -
> but I tried it with posixAccount as well to no effect.
>
> I am including again my current pam.conf and ldap.conf
> as well.
>
> Thanks, Jim
>
> [root@underhill /]# cat /etc/pam.conf
> #ident "@(#)pam.conf 1.19 95/11/30 SMI"
> #
> # PAM configuration
> #
> # Authentication management
> #
> login auth sufficient /usr/lib/security/pam_unix.so.1
> login auth sufficient /usr/lib/security/pam_ldap.so.1
> #login auth required /usr/lib/security/pam_dial_auth.so.1
> #
> rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
> rlogin auth required /usr/lib/security/pam_unix.so.1
> #
> dtlogin auth required /usr/lib/security/pam_unix.so.1
> #
> rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
> other auth sufficient /usr/lib/security/pam_ldap.so.1
> other auth sufficient /usr/lib/security/pam_unix.so.1
> #
> # Account management
> #
> login account sufficient /usr/lib/security/pam_unix.so.1
> login account sufficient /usr/lib/security/pam_ldap.so.1
> dtlogin account required /usr/lib/security/pam_unix.so.1
> #
> other account sufficient /usr/lib/security/pam_unix.so.1
> other account sufficient /usr/lib/security/pam_ldap.so.1
> #
> # Session management
> #
> other session sufficient /usr/lib/security/pam_unix.so.1
> other session sufficient /usr/lib/security/pam_ldap.so.1
> #
> # Password management
> #
> other password sufficient /usr/lib/security/pam_unix.so.1
> other password sufficient /usr/lib/security/pam_ldap.so.1
>
> [root@underhill /]# cat /etc/ldap.conf
> #
> # $Id: ldap.conf,v 1.9 2000/06/30 00:33:35 lukeh Exp $
> #
> # This is the configuration file for the LDAP nameservice
> # switch library and the LDAP PAM module.
> #
> # To contact the author, mail lukeh@padl.com.
> #
>
> # Your LDAP server.
> host ldap.example.net
> #host localhost
>
> # The distinguished name of the search base.
> #base dc=example,dc=net
> base o=example.net
>
> # Use the V3 protocol to optimize searches
> ldap_version 3
>
> # Filter to AND with uid=%s
> pam_filter objectclass=posixAccount
>
> # The user ID attribute (defaults to uid)
> #pam_login_attribute uid
>
> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> pam_lookup_policy yes
>
> # Group to enforce membership of
> #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
>
> # Group member attribute
> #pam_member_attribute uniquemember
>
> # Template login attribute, default template user
> # (can be overriden by value of former attribute
> # in user's entry)
> #pam_login_attribute userPrincipalName
> #pam_template_login_attribute uid
> #pam_template_login nobody
>
> # Hash password locally; required for University of
> # Michigan LDAP server, and works with Netscape
> # Directory Server if you're using the UNIX-Crypt
> # hash mechanism and not using the NT Synchronization
> # service.
> pam_crypt local
>
> ________________________________
> Jim Lang
> Gus Creek Services http://www.guscreek.com/
> (406)544-4069
>
________________________________
Jim Lang
Gus Creek Services http://www.guscreek.com/
(406)544-4069
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic