[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: Re: [pamldap] getting uid but not password
From: Jim Lang <jim () guscreek ! com>
Date: 2001-01-09 22:43:22
[Download RAW message or body]
>
> Although this may not strictly be pam_ldap issue at this point, does anyone
> here know if I have to build my pop daemon (U of W) with a special
> EXTRAAUTHENTICATORS setting? If so, what should it be? Their docs dont
> mention ldap at all...
>
>
nope, it just needed to be compiled with PASSWDTYPE=pam
now once I finish sendmail config, Im done
thanks all for your patience, I'll post the rest of my question
to a sendmail list ;-)
Jim
> one step at a time, I'm getting there.
>
> My problems with ldap.conf detailed below related to the fact
> the the library was still loaded in memory -- so
> it wasnt rereading ldap.conf -- by stopping and starting the
> name service cache daemon I was able to get it to take
> the changes I put in ldap.conf
>
> Now, even a normal user can su to a user that exists in ldap but not passwd:
>
> bash-2.03$ su testuser
> Password:
> $ id
> uid=150(testuser) gid=150
> $
>
> So I guess pam_ldap is doing what is should.
> if that were what we wanted, I'd be done.
> But we actually wont have these users logging in anyway,
> just using sendmail and pop. But pop is still doing
> the same thing:
>
> [root@underhill /]# telnet localhost 110
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> +OK POP3 localhost v2000.68 server ready
> user testuser
> +OK User name accepted, password please
> pass pass123
> -ERR Bad login
> quit
> +OK Sayonara
> Connection closed by foreign host.
>
>
> log entries are a little different though:
>
> [08/Jan/2001:13:18:59 -0700] conn=79845 op=1 RESULT err=0 tag=101 nentries=1 \
> etime=0 [08/Jan/2001:13:18:59 -0700] conn=79846 fd=72 slot=72 connection from \
> 12.32.34.2 to 192.168.100.5 [08/Jan/2001:13:18:59 -0700] conn=79846 op=0 BIND dn="" \
> method=128 version=3 [08/Jan/2001:13:18:59 -0700] conn=79846 op=0 RESULT err=0 \
> tag=97 nentries=0 etime=0 [08/Jan/2001:13:18:59 -0700] conn=79846 op=1 SRCH \
> base="o=blackfoot.net" scope=2 filter="(&(objectclas \
> s=posixAccount)(uid=testuser))" [08/Jan/2001:13:18:59 -0700] conn=79846 op=1 RESULT \
> err=0 tag=101 nentries=1 etime=0 [08/Jan/2001:13:18:59 -0700] conn=79845 op=-1 \
> fd=48 closed - B1 [08/Jan/2001:13:18:59 -0700] conn=79847 fd=48 slot=48 connection \
> from 12.32.34.2 to 192.168.100.5 [08/Jan/2001:13:18:59 -0700] conn=79847 op=0 BIND \
> dn="" method=128 version=3 [08/Jan/2001:13:18:59 -0700] conn=79847 op=0 RESULT \
> err=0 tag=97 nentries=0 etime=0 [08/Jan/2001:13:18:59 -0700] conn=79847 op=1 SRCH \
> base="o=blackfoot.net" scope=2 filter="(&(objectclas \
> s=shadowAccount)(uid=testuser))"
>
> Although this may not strictly be pam_ldap issue at this point, does anyone
> here know if I have to build my pop daemon (U of W) with a special
> EXTRAAUTHENTICATORS setting? If so, what should it be? Their docs dont
> mention ldap at all...
>
>
>
> tia
>
> Jim
>
>
>
>
>
>
>
>
> At 02:04 PM 1/7/01 -0700, Jim Lang wrote:
> > I was sure these shadowAccount attribs would solve my problem, but
> > alas, no. Details below, and thanks for your
> > continued help and advice.
> >
> > At 08:55 PM 1/6/01 +1100, you wrote:
> > > Earlier today, Jim Lang wrote:
> > >
> > > > Or do I need to set some attributes for shadowAccount? I couldnt tell from
> > > > the documentation what they were for, or what I would set them to.
> > >
> > > Even though NSS has only a single database view of both the /etc/passwd and
> > > /etc/shadow files (called "passwd" - this is the case for Solaris, though I've
> > > home-dir -> homeDirectory
> > > login-shell -> loginShell
> > >
> > > /etc/shadow -> shadowAccount
> > > username -> uid
> > > password -> userPassword
> > > lastchg -> shadowLastChange
> > > min -> shadowMin
> > > max -> shadowMax
> > > warn -> shadowWarning
> > > inactive -> shadowInactive
> > > expire -> shadowExpire
> > > flag -> shadowFlag
> > >
> > > See the man pages for /etc/passwd and /etc/shadow on your system for more
> > > details. RFC 2307 lists the mandatory/optional attributetypes.
> > >
> >
> >
> > OK, I added the shadowAccount attributes:
> >
> >
> > [root@ldap bin]# ./ldapsearch -b o=example.net "uid=testuser"
> > dn: uid=testuser,o=example.net
> > objectclass: top
> > objectclass: person
> > objectclass: OrganizationalPerson
> > objectclass: InetOrgPerson
> > objectclass: posixAccount
> > objectclass: shadowAccount
> > objectclass: mailRecipient
> > objectclass: nsLicenseUser
> > uid: testuser
> > cn: test user
> > sn: user
> > givenname: test
> > uidnumber: 150
> > gidnumber: 150
> > homedirectory: /
> > shadowlastchange: 11250
> > shadowmin: 0
> > shadowmax: 99999
> > shadowwarning: 7
> > shadowinactive: -1
> > shadowexpire: -1
> > shadowflag: 1
> > nslicensedfor: mail
> > mail: testuser@example.net
> > mailhost: mail1.example.net
> >
> > same result, though.
> >
> >
> > > > +OK User name accepted, password please
> > > > pass pass123
> > > > -ERR Bad login
> > >
> > > Was there any clue in the directory server's logs (such as a user not found
> > > error or something)? The first thing to do when debugging pam_ldap is to use
> > > the command line tools (ldapsearch) to perform the same searches the module
> > > would perform, to see if they work directly against the directory server.
> > >
> >
> > As you can see above, ldapsearch returns what it should - can ldapsearch be used
> > to find the password, though?
> >
> > Here are the log entries from the successful pop against the Netscape Messaging \
> > Server:
> > [06/Jan/2001:12:42:29 -0700] conn=50297 op=0 BIND dn="" method=128 version=2
> > [06/Jan/2001:12:42:29 -0700] conn=50297 op=0 RESULT err=0 tag=97 nentries=0 \
> > etime=0 [06/Jan/2001:12:42:29 -0700] conn=50297 op=1 SRCH base="o=example.net" \
> > scope=2 filter="(&(uid=testuser)(mailhost=mail1.blackf oot.net))"
> > [06/Jan/2001:12:42:29 -0700] conn=50297 op=1 RESULT err=0 tag=101 nentries=1 \
> > etime=0 [06/Jan/2001:12:42:29 -0700] conn=50297 op=2 SRCH base="o=example.net" \
> > scope=2 filter="(&(uid=testuser)(mailhost=mail1.blackf oot.net))"
> > [06/Jan/2001:12:42:29 -0700] conn=50297 op=2 RESULT err=0 tag=101 nentries=1 \
> > etime=0 [06/Jan/2001:12:42:29 -0700] conn=50298 fd=43 slot=43 connection from \
> > 192.168.100.2 to 192.168.100.5 [06/Jan/2001:12:42:29 -0700] conn=50298 op=0 BIND \
> > dn="" method=128 version=2 [06/Jan/2001:12:42:29 -0700] conn=50298 op=0 RESULT \
> > err=0 tag=97 nentries=0 etime=0 [06/Jan/2001:12:42:29 -0700] conn=50298 op=1 SRCH \
> > base="o=example.net" scope=2 filter="(uid=testuser)" [06/Jan/2001:12:42:29 -0700] \
> > conn=50298 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [06/Jan/2001:12:42:29 \
> > -0700] conn=50298 op=2 BIND dn="uid=testuser,o=example.net" method=128 version=2 \
> > [06/Jan/2001:12:42:29 -0700] conn=50298 op=2 RESULT err=0 tag=97 nentries=0 \
> > etime=0 [06/Jan/2001:12:42:29 -0700] conn=50298 op=3 UNBIND
> > [06/Jan/2001:12:42:29 -0700] conn=50298 op=3 fd=43 closed - U1
> >
> > Here are the log entries from the unsuccessful pop against localhost:
> >
> >
> > [06/Jan/2001:12:43:29 -0700] conn=50407 fd=43 slot=43 connection from 12.32.34.2 \
> > to 192.168.100.5 [06/Jan/2001:12:43:29 -0700] conn=50407 op=0 BIND dn="" \
> > method=128 version=3 [06/Jan/2001:12:43:29 -0700] conn=50407 op=0 RESULT err=0 \
> > tag=97 nentries=0 etime=0 [06/Jan/2001:12:43:29 -0700] conn=50407 op=1 SRCH \
> > base="o=example.net" scope=2 \
> > filter="(&(objectclass=shadowAccount)(uid=testuser))" [06/Jan/2001:12:43:29 \
> > -0700] conn=50407 op=1 RESULT err=0 tag=101 nentries=1 etime=0
> > (It is because I saw shadowAccount in the log that I put it in ldap.conf)
> >
> > Here is the log entry from the successful su:
> >
> > [06/Jan/2001:13:10:59 -0700] conn=349 op=242 SRCH base="o=example.net" scope=2 \
> > filter="(&(objectclass=posixAccount)(uid=testuser))" [06/Jan/2001:13:10:59 -0700] \
> > conn=349 op=242 RESULT err=0 tag=101 nentries=1 etime=0
> > (I note that here it uses posixAccount - also, it is not a new connection each \
> > time, but seems to keep a persistant connection open - I dont know the \
> > significance of that)
> > Here is something else that I dont understand - I tried changing ldap.conf \
> > different ways to see what I would see in the log, and it made no difference -- \
> > /etc/ldap.conf doesnt seem to be being used - I can change the host entry to a \
> > nonexistent host, or one that is not running ldap, or even delete /etc/ldap.conf \
> > altogether, and the behavior is exactly the same! I even modified pam_ldap.c \
> > thusly:
> > /* if (configFile == NULL) */
> > configFile = "/etc/ldap.conf";
> >
> > before recompiling and reinstalling just to be sure there was no chance it wasnt \
> > trying to use some other file (also downloaded and used pam_ldap-86) - does \
> > pam_ldap read it at compile time instead of runtime?
> >
> >
> >
> > > > [root@mail2 /]# ldapsearch -b o=example.net "uid=testuser"
> > > > uid=testuser,o=example.net
> > >
> > > A quick glance says the user object should be fine (though I didn't put any
> > > effort into checking the "mailRecipient" or "nsLicenseUser" OC's or
> > > attributetypes).
> > >
> > > > # Filter to AND with uid=%s
> > > > #pam_filter objectclass=shadowAccount
> > >
> > > If anything, this one probably makes more sense:
> > >
> > > pam_filter objectClass=posixAccount
> > >
> >
> >
> > As I said, it doesnt seem to matter what I put in ldap.conf -
> > but I tried it with posixAccount as well to no effect.
> >
> > I am including again my current pam.conf and ldap.conf
> > as well.
> >
> > Thanks, Jim
> >
> > [root@underhill /]# cat /etc/pam.conf
> > #ident "@(#)pam.conf 1.19 95/11/30 SMI"
> > #
> > # PAM configuration
> > #
> > # Authentication management
> > #
> > login auth sufficient /usr/lib/security/pam_unix.so.1
> > login auth sufficient /usr/lib/security/pam_ldap.so.1
> > #login auth required /usr/lib/security/pam_dial_auth.so.1
> > #
> > rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
> > rlogin auth required /usr/lib/security/pam_unix.so.1
> > #
> > dtlogin auth required /usr/lib/security/pam_unix.so.1
> > #
> > rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
> > other auth sufficient /usr/lib/security/pam_ldap.so.1
> > other auth sufficient /usr/lib/security/pam_unix.so.1
> > #
> > # Account management
> > #
> > login account sufficient /usr/lib/security/pam_unix.so.1
> > login account sufficient /usr/lib/security/pam_ldap.so.1
> > dtlogin account required /usr/lib/security/pam_unix.so.1
> > #
> > other account sufficient /usr/lib/security/pam_unix.so.1
> > other account sufficient /usr/lib/security/pam_ldap.so.1
> > #
> > # Session management
> > #
> > other session sufficient /usr/lib/security/pam_unix.so.1
> > other session sufficient /usr/lib/security/pam_ldap.so.1
> > #
> > # Password management
> > #
> > other password sufficient /usr/lib/security/pam_unix.so.1
> > other password sufficient /usr/lib/security/pam_ldap.so.1
> >
> > [root@underhill /]# cat /etc/ldap.conf
> > #
> > # $Id: ldap.conf,v 1.9 2000/06/30 00:33:35 lukeh Exp $
> > #
> > # This is the configuration file for the LDAP nameservice
> > # switch library and the LDAP PAM module.
> > #
> > # To contact the author, mail lukeh@padl.com.
> > #
> >
> > # Your LDAP server.
> > host ldap.example.net
> > #host localhost
> >
> > # The distinguished name of the search base.
> > #base dc=example,dc=net
> > base o=example.net
> >
> > # Use the V3 protocol to optimize searches
> > ldap_version 3
> >
> > # Filter to AND with uid=%s
> > pam_filter objectclass=posixAccount
> >
> > # The user ID attribute (defaults to uid)
> > #pam_login_attribute uid
> >
> > # Search the root DSE for the password policy (works
> > # with Netscape Directory Server)
> > pam_lookup_policy yes
> >
> > # Group to enforce membership of
> > #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
> >
> > # Group member attribute
> > #pam_member_attribute uniquemember
> >
> > # Template login attribute, default template user
> > # (can be overriden by value of former attribute
> > # in user's entry)
> > #pam_login_attribute userPrincipalName
> > #pam_template_login_attribute uid
> > #pam_template_login nobody
> >
> > # Hash password locally; required for University of
> > # Michigan LDAP server, and works with Netscape
> > # Directory Server if you're using the UNIX-Crypt
> > # hash mechanism and not using the NT Synchronization
> > # service.
> > pam_crypt local
>
________________________________
Jim Lang
Gus Creek Services http://www.guscreek.com/
(406)544-4069
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic