Re: [pamldap] pam_ldap v99, OpenLDAP v2.0.9 and SASL/Kerberos

[Norbert Klasen <klasen@zdv.uni-tuebingen.de>]

Turbo Fredriksson wrote:
> 
> [Sorry about the cross post, but I'm uncertain that this is a PAM/LDAP
>  issue alone. If answering me on the pamldap list, please Cc me, because
>  I am not yet subscribed to this list. I'm still waiting for approval.]
> 
> I'm trying to get my test installation of OpenLDAP2 and PAM/LDAP
> (in a CHROOT) to get the passwords from a KerberosV KDC but all
> the rest of the information (homedirectory, [ug]idnumber etc)
> from my LDAP server. Outside the chroot I have a functioning
> OpenLDAP1/KerberosV installation working.

There is no need for pam_ldap then. Just use pam_krb5 and nss_ldap.
 
> These are the sofware I'm running outside the chroot:
>         Debian GNU/Linux        Potato (stable)
>         OpenLDAP1               1.2.11
>         KerberosV KDC           1.2.2
>         libpam-ldap             43
>         libnss-ldap             122
> 
>         -> As said, this  works like a charm. Kinit,  ksu, ktelnet etc
>            works.    I  can   use  libpam-ldap   and   libpam-krb5  to
>            authenticate with the password  either from kerberos or the
>            LDAP database on all services (ssh/login/ftp/wdm etc).  The
>            password is stored with {crypt} in the LDAP db.
> 
> In the chroot, this is the software I'm running:
>         Debian GNU/Linux        Sid (unstable)
>         OpenLDAP2               2.0.9 (with SASL support etc)
>         Cyrus SASL              1.5.24
>         libpam-ldap             99
>         libnss-ldap             140
> 
> Outside the chroot, I have  the following line in my /etc/inittab file
> (/mnt/rescue is where my chroot is located):
> ----- s n i p -----
> 10:23:respawn:sh -c 'cd /mnt/rescue ; chroot . /sbin/getty 38400 tty10'
> ----- s n i p -----
> 
> [The following are information from the chroot]
> 
> The LDAP server is running on  port 3389 and ldaps:///, and is compiled
> with the following options (amongst others):
> 
>         --with-tls
>         --enable-kpasswd
>         --enable-spasswd
> 
> I have the following attribute/value in the LDAP database:
> 
>         dn: uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
>         userPassword:: e1NBU0x9dHVyYm8=
> 
> That 'e1NBU0x9dHVyYm8=' is supposed to be '{SASL}turbo'... Why is it
> base64 (I assume) encoded?
> 
> The rest of the database are a dump from the function server outside
> the chroot (only the 'userPassword' attribute have been changed).
> 
> This is the pam config file for login (same as the one outside the chroot):
> ----- s n i p -----
> auth            required        pam_nologin.so
> auth            sufficient      pam_krb5.so
> auth            sufficient      pam_ldap.so
> auth            required        pam_unix.so try_first_pass shadow
> auth            required        pam_env.so
> auth            required        pam_issue.so issue=/etc/issue.net
> 
> account         sufficient      pam_krb5.so
> account         sufficient      pam_ldap.so
> account         required        pam_unix.so try_first_pass shadow
> 
> password        sufficient      pam_krb5.so
> password        required        pam_ldap.so md5
> session         required        pam_unix.so
> session         optional        pam_lastlog.so
> session         optional        pam_motd.so
> session         optional        pam_mail.so standard noenv
> session         required        pam_mkhomedir.so skel=/etc/skel/
> ----- s n i p -----
> 
> This is the configuration from /etc/pam_ldap.conf:
> ----- s n i p -----
> host 127.0.0.1
> base dc=com
> port 3389
> ----- s n i p -----
> 
> The same information is also in /etc/libnss-ldap.conf and
> the OpenLDAP config files (/etc/ldap/ldap.conf).
> 
> The /etc/nssswitch file:
> ----- s n i p -----
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
> hosts:          files dns ldap
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
> ----- s n i p -----
> 
> When trying to login as 'turbo', I get this:
> ----- s n i p -----
> CHROOT:/etc/init.d# /bin/login
> login: turbo
> Password for turbo@BAYOUR.COM:
> LDAP Password:
> Login incorrect
> ----- s n i p -----
> 
> and in the syslog:
> ----- s n i p -----
> Mar 14 17:45:37 {HOSTNAME} tcplogd: port 3389 connection attempt from {FQDN} [{IPADDRES}]
> Mar 14 17:45:44 {HOSTNAME} tcplogd: port 3389 connection attempt from localhost [127.0.0.1]
> ----- s n i p -----

Is that all the logging you get?
Add "debug = true" to the PAM section in /etc/krb5.conf to make it more
verbose. See the KDC logs if you get a tgt.
Add some pam_warn calls to see if pam actually is called.
Do you see an bind attepmt in the slapd.log?
Any tcpwrappers configured?


> Entering either the LDAP password OR the KDC password at the 'LDAP Password' prompt
> does no difference... I have also tried using 'userPassword: turbo@MY.REALM' in
> the database. No change.
> 
> Doing the same thing outside the chroot (as root) works fine. It will accept my
> Kerberos password...
> 
> To verify that I can't find any obvious problems with the chroot configuration,
> this is what i did:
> ----- s n i p -----
> CHROOT:/etc/init.d# kinit turbo@MY.REALM
> Password for turbo@MY.REALM:
>  [=> klist shows that I have a krbtgt ticket]
> CHROOT:/etc/init.d# ldapsearch -U turbo -H ldaps:/// uid=turbo
>  [=> will show me the full object of 'turbo', verified by double
>      checking by binding with the BindDN as usual]

You're searching on port 636 (ldaps) here. Try the port you've
configured in pam|nss_ldap.conf (without SSL and SASL, just simple bind
as pam_ldap does).

-- 
Norbert Klasen
DFN Directory Services                           tel: +49 7071 29 70335
ZDV, Universität Tübingen                        fax: +49 7071 29 5912
Wächterstr. 76, 72074 Tübingen              http://www.directory.dfn.de
Germany                             norbert.klasen@zdv.uni-tuebingen.de