[Date Prev][Date Next] [Chronological] [Thread] [Top]

ssh, ldap, pam on Debian Potato



[I'm not sure if this is the 1st, 2nd or third mail. I haven't seen
it on the list]

I've been having problem with LDAP for quite some time now.

I haven't had this on high priority (started a new job 3 month
ago, which takes 100% of my time). Now we're looking into a more
uniform way of authenticate our users. As it is now, they have one
account on the mail server (Linux) and one on the PDC. This is not
good naturally, taking extra time to add/remove/change a user and
user's passwords etc.

Enter LDAP. 

I've been talking about this with the Debian maintainer of LDAP
(which is also one of the OpenLDAP developers, Ben Collins), but
we (I?) haven't been able to resolve the problem quite yet...

SSHd is checking the LDAP database (according to the logs),
but i can't login.

Log file
----- s n i p -----
Sep 17 19:18:11 papadoc tcplogd: ssh connection attempt from localhost [127.0.0.1]
Sep 17 19:18:11 papadoc sshd[26031]: connect from 127.0.0.1
Sep 17 19:18:11 papadoc sshd[26031]: log: Connection from 127.0.0.1 port 1023
Sep 17 19:18:11 papadoc slapd[877]: conn=3 fd=7 connection from localhost (127.0.0.1) accepted. 
Sep 17 19:18:11 papadoc slapd[26033]: conn=3 op=0 BIND dn="" method=128 
Sep 17 19:18:11 papadoc slapd[26033]: conn=3 op=0 RESULT err=0 tag=97 nentries=0 
Sep 17 19:18:11 papadoc tcplogd: ldap connection attempt from localhost [127.0.0.1]
Sep 17 19:18:11 papadoc slapd[26034]: conn=3 op=1 SRCH base="O=DONFRANSURBO,C=SE" scope=2 filter="(uid=TURBO)" 
Sep 17 19:18:11 papadoc slapd[877]: conn=3 op=-1 fd=7 closed errno=0 
Sep 17 19:18:11 papadoc slapd[26036]: conn=3 op=2 UNBIND 
Sep 17 19:18:11 papadoc slapd[26034]: conn=3 op=1 RESULT err=0 tag=101 nentries=1 
Sep 17 19:18:12 papadoc sshd[26031]: log: Wrong response to RSA authentication challenge.
Sep 17 19:18:16 papadoc slapd[877]: conn=4 fd=7 connection from localhost (127.0.0.1) accepted. 
Sep 17 19:18:16 papadoc tcplogd: ldap connection attempt from localhost [127.0.0.1]
Sep 17 19:18:16 papadoc slapd[26064]: conn=4 op=0 BIND dn="UID=TURBO,OU=PEOPLE,O=DONFRANSURBO,C=SE" method=128 
Sep 17 19:18:16 papadoc sshd[26031]: pam_ldap: ldap_simple_bind_s Invalid credentials
Sep 17 19:18:16 papadoc sshd[26031]: fatal: Connection closed by remote host.
Sep 17 19:18:16 papadoc slapd[877]: conn=4 op=-1 fd=7 closed errno=0 
Sep 17 19:18:16 papadoc slapd[26064]: conn=4 op=0 RESULT err=49 tag=97 nentries=0 
Sep 17 19:18:16 papadoc slapd[26065]: conn=4 op=1 UNBIND 
Sep 17 19:18:37 papadoc tcplogd: ssh connection attempt from localhost [127.0.0.1]
Sep 17 19:18:37 papadoc sshd[26165]: connect from 127.0.0.1
Sep 17 19:18:37 papadoc sshd[26165]: log: Connection from 127.0.0.1 port 1022
Sep 17 19:18:37 papadoc slapd[877]: conn=5 fd=7 connection from localhost (127.0.0.1) accepted. 
Sep 17 19:18:37 papadoc tcplogd: ldap connection attempt from localhost [127.0.0.1]
Sep 17 19:18:37 papadoc slapd[26167]: conn=5 op=0 BIND dn="" method=128 
Sep 17 19:18:37 papadoc slapd[26167]: conn=5 op=0 RESULT err=0 tag=97 nentries=0 
Sep 17 19:18:37 papadoc slapd[26168]: conn=5 op=1 SRCH base="O=DONFRANSURBO,C=SE" scope=2 filter="(uid=TURBO)" 
Sep 17 19:18:37 papadoc slapd[877]: conn=5 op=-1 fd=7 closed errno=0 
Sep 17 19:18:37 papadoc slapd[26168]: conn=5 op=1 RESULT err=0 tag=101 nentries=1 
Sep 17 19:18:38 papadoc slapd[26172]: conn=5 op=2 UNBIND 
Sep 17 19:18:38 papadoc sshd[26165]: log: Wrong response to RSA authentication challenge.
Sep 17 19:18:43 papadoc slapd[877]: conn=6 fd=7 connection from localhost (127.0.0.1) accepted. 
Sep 17 19:18:43 papadoc tcplogd: ldap connection attempt from localhost [127.0.0.1]
Sep 17 19:18:44 papadoc slapd[26261]: conn=6 op=0 BIND dn="UID=TURBO,OU=PEOPLE,O=DONFRANSURBO,C=SE" method=128 
Sep 17 19:18:44 papadoc sshd[26165]: fatal: Connection closed by remote host.
Sep 17 19:18:44 papadoc slapd[26261]: conn=6 op=0 RESULT err=0 tag=97 nentries=0 
Sep 17 19:18:44 papadoc slapd[877]: conn=6 op=-1 fd=7 closed errno=0 
Sep 17 19:18:44 papadoc slapd[26263]: conn=6 op=1 UNBIND 
----- s n i p -----

/etc/pam.d/ssh
----- s n i p -----
#%PAM-1.0
#[For version 1.0 syntax, the above header is optional]
#
# The PAM configuration file for the `sshd' service
#
auth       required     pam_ldap.so
account    required     pam_ldap.so
password   required     pam_ldap.so
session    required     pam_ldap.so
----- s n i p -----

/etc/openldap/slapd.conf
----- s n i p -----
# This is the main ldapd configuration file.

# Schema and objectClass definitions
include		/etc/openldap/slapd.at.conf
include		/etc/openldap/slapd.oc.conf

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck	off

# Where clients are refered to if no
# match is found locally
referral	ldap://ldap.four11.com

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile		/var/run/slapd.pid

#######################################################################
# ldbm database definitions
#######################################################################

# The backend type, ldbm, is the default standard
database	ldbm

# The base of your directory
suffix		"o=DonFransUrbo, c=SE"

# Where the database file are physically stored
directory	"/var/lib/openldap"

# By default, only read access is allowed
defaultaccess	read

# The userPassword by default can by changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry above
access to attribute=userPassword
	by * none
	by self write

access to * by dn="uid=turbo, ou=People, o=DonFransUrbo, c=SE" write

# The admin dn has full write access
access to * by dn="cn=admin,ou=People,o=DonFransUrbo,c=SE" write

# End of ldapd configuration file
----- s n i p -----

Output from search
----- s n i p -----
[ssh.papadoc]$ ldapsearch -b 'o=DonFransUrbo, c=SE' 'uid=turbo'
uid=turbo,ou=People,o=DonFransUrbo,c=SE
uid=turbo
cn=Turbo Fredriksson
objectclass=top
objectclass=account
objectclass=posixAccount
objectclass=shadowAccount
shadowlastchange=10557
shadowmax=99999
shadowwarning=7
loginshell=/bin/bash
uidnumber=2000
gidnumber=4
homedirectory=/home/operators/turbo
gecos=Turbo Fredriksson
----- s n i p -----

What I don't like very much about the search, is that the userPassword
can't be retrived:

----- s n i p -----
[ssh.papadoc]$ ldapsearch -b 'o=DonFransUrbo, c=SE' 'uid=turbo' userPassword
uid=turbo,ou=People,o=DonFransUrbo,c=SE

----- s n i p -----



What am I missing? I've been checking the listarchive (Thread: 'nss_ldap,
pam_ldap woes') but it seems that I've progressed a little futher, the
password isn't returned...

        Sep 17 19:18:16 papadoc sshd[26031]: pam_ldap: ldap_simple_bind_s Invalid credentials


I'd would very (!!) much appreciate any help in getting this to work
(next problem will be to get kerberous to work/interact with this :)


-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden
-- 
cryptographic bomb AK-47 KGB Serbian [Hello to all my fans in domestic
surveillance] Qaddafi strategic class struggle Waco, Texas Noriega
munitions terrorist Nazi Kennedy

Attachment: pgpQS8FHQOHhn.pgp
Description: PGP signature