[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Re: OpenLDAP and SSH authentification



Michel,

You did not specify what linux distro. That info will help. For example, on CentOS/RH, all you have to do to enable pam_ldap auth is " /usr/bin/authconfig --enableldapauth --update"

Again, on RH/CentOS, this command changes /etc/pam.d/system-auth (linked to system-auth-ac).

------------
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
---------------


For local users (root and several others), you want to disable LDAP lookups. Otherwise, nss_ldap tries to look up these users in LDAP. Add this to your /etc/ldap.conf:
"nss_initgroups_ignoreusers root,bin,daemon,adm,mail,ftp,nscd,vcsa,sshd,dbus,avahi,haldaemon,ntp,ldap,named,apache"

Hope this helps.


- Siddhartha




From: openldap-technical-bounces+sjain=silverspringnet.com@openldap.org [mailto:openldap-technical-bounces+sjain=silverspringnet.com@openldap.org] On Behalf Of Mackey, Theral
Sent: Wednesday, April 21, 2010 10:05 AM
To: openldap-technical@openldap.org
Subject: RE: Re: OpenLDAP and SSH authentification

You probably also want a line in the account section for pam_ldap.so.
Im not as familiar with opie (know what it is, just havent used it much), but since it is set as requisite and before the ldap module, its possibly failing your auth stack if you don't have it setup properly. Test with it commented out using your ldap user, and again with ldap commented out using a local user. Make sure ldap is working by itself (and the same for opie) before laying other stuff on top of it. Consult the various pam-opie-ldap integration guides on the best way to get that working together.

Since you have pam.d/common-*, those are likely the files you will want to edit rather than sshd. The sshd pam config file probably has a line that includes the common stack files, which should already have the basic stack in them, duplicating it in sshd will cause problems.

(I assume this is a debian style system) Also check that your pam_ldap.conf is setup the same as libnss-ldap.conf, you can probably replace it with a symlink to libnss-ldap.conf. 

Don't use rootbinddn, use binddn or just comment them all out. rootbinddn gets its password from a file and expects to be the root/cn=Manager user of your directory. Its generally not needed for auth. The bindpw is the pw for binddn, which should be a user that can read user/group entries, and auth to userPassword. If your directory allows anonymous reads, you can comment both out and pam will work with anonymous binds.

You can generally leave the nss_base_* mappings all commented out unless your directory is setup strangely, and you probably want pam_password set to exop so that ldap handles passwords internally rather than forcing a method (unless you have a reason for it (opie req?)).


-T

From: openldap-technical-bounces+tmackey=zetta.net@OpenLDAP.org [mailto:openldap-technical-bounces+tmackey=zetta.net@OpenLDAP.org] On Behalf Of dubois.michel@gmail.com
Sent: Wednesday, April 21, 2010 1:57 AM
To: openldap-technical@openldap.org
Subject: Re: Re: OpenLDAP and SSH authentification

Thanks to all .........

I add this following in the /etc/libnss-ldap.conf on the server side : 
rootbinddn cn=proxyuser,dc=exemple,dc=org
bindpw proxy
pam_password MD5
nss_base_passwd ou=people,dc=exemple,dc=org?one
nss_base_shadow ou=people,dc=exemple,dc=org?one
nss_base_group ou=groups,dc=exemple,dc=org?one

and I add this line in the /etc/pam.d/common-session file :
session required pam_mkhomedir.so skel=/etc/skel/

for creating the home dir when the user is connecting for the first time... 

Thanks for your help anyway........... 



Le , Ariel <ariel@bidcactus.com> a écrit :
> In your /etc/nsswitch.conf
> 
> 
> Try changing to these lines:
> 
> 
> passwd: files ldap
> group: files ldap
> shadow: files ldap
> 
> 
> Also in pam.d/sshd password section try adding:
> 
> 
> password   sufficient   pam_ldap.so
> 
> 
> 
> 
> To make much of this easier you might want to install packages something like this for your distro:
> libpam-ldap
> libnss-ldap
> ldap-auth-client
> ldap-auth-config
> 
> 
> Good luck.
> -a
> 
> 
> 
> 
> On Apr 20, 2010, at 3:15 AM, Michel Dubois wrote:
> 
> Hello Everyone,
> 
> I'm newbie on OpenLDAP. I build a LDAP server with one user. I can see this user when I did a "getent  passwd" on my client.  This is meaning that my LDAP server is working and my client is connecting on the LDAP server.
> 
> I already modify my /etc/pam.d/sshd file on t my client machine like this : 
> 
> 
> # auth
> auth required pam_nologin.so no_warn
> auth sufficient pam_opie.so no_warn no_fake_prompts
> auth requisite pam_opieaccess.so no_warn allow_local
> auth sufficient /usr/local/lib/pam_ldap.so no_warn
> auth required pam_unix.so no_warn try_first_pass
> 
> # account
> account required pam_login_access.so
> account required pam_unix.so
> 
> # session
> session required pam_permit.so
> 
> # password
> password required pam_unix.so no_warn try_first_pass
> 
> 
> 
> 
> 
> 
> 
> But I can't be connected in shh mode on my client machine with the user login ? And this modification disable my ssh root connection.
> 
> What do  I have  to check?
> Regards, 
> 
> -- 
> -----------------------------------------------------------
> Michel Dubois
> 
> 
> 
> 
> 
> 
> 
>