[I'm not sure if this is the 1st, 2nd or third mail. I haven't seen it on the list] I've been having problem with LDAP for quite some time now. I haven't had this on high priority (started a new job 3 month ago, which takes 100% of my time). Now we're looking into a more uniform way of authenticate our users. As it is now, they have one account on the mail server (Linux) and one on the PDC. This is not good naturally, taking extra time to add/remove/change a user and user's passwords etc. Enter LDAP. I've been talking about this with the Debian maintainer of LDAP (which is also one of the OpenLDAP developers, Ben Collins), but we (I?) haven't been able to resolve the problem quite yet... SSHd is checking the LDAP database (according to the logs), but i can't login. Log file ----- s n i p ----- Sep 17 19:18:11 papadoc tcplogd: ssh connection attempt from localhost [127.0.0.1] Sep 17 19:18:11 papadoc sshd[26031]: connect from 127.0.0.1 Sep 17 19:18:11 papadoc sshd[26031]: log: Connection from 127.0.0.1 port 1023 Sep 17 19:18:11 papadoc slapd[877]: conn=3 fd=7 connection from localhost (127.0.0.1) accepted. Sep 17 19:18:11 papadoc slapd[26033]: conn=3 op=0 BIND dn="" method=128 Sep 17 19:18:11 papadoc slapd[26033]: conn=3 op=0 RESULT err=0 tag=97 nentries=0 Sep 17 19:18:11 papadoc tcplogd: ldap connection attempt from localhost [127.0.0.1] Sep 17 19:18:11 papadoc slapd[26034]: conn=3 op=1 SRCH base="O=DONFRANSURBO,C=SE" scope=2 filter="(uid=TURBO)" Sep 17 19:18:11 papadoc slapd[877]: conn=3 op=-1 fd=7 closed errno=0 Sep 17 19:18:11 papadoc slapd[26036]: conn=3 op=2 UNBIND Sep 17 19:18:11 papadoc slapd[26034]: conn=3 op=1 RESULT err=0 tag=101 nentries=1 Sep 17 19:18:12 papadoc sshd[26031]: log: Wrong response to RSA authentication challenge. Sep 17 19:18:16 papadoc slapd[877]: conn=4 fd=7 connection from localhost (127.0.0.1) accepted. Sep 17 19:18:16 papadoc tcplogd: ldap connection attempt from localhost [127.0.0.1] Sep 17 19:18:16 papadoc slapd[26064]: conn=4 op=0 BIND dn="UID=TURBO,OU=PEOPLE,O=DONFRANSURBO,C=SE" method=128 Sep 17 19:18:16 papadoc sshd[26031]: pam_ldap: ldap_simple_bind_s Invalid credentials Sep 17 19:18:16 papadoc sshd[26031]: fatal: Connection closed by remote host. Sep 17 19:18:16 papadoc slapd[877]: conn=4 op=-1 fd=7 closed errno=0 Sep 17 19:18:16 papadoc slapd[26064]: conn=4 op=0 RESULT err=49 tag=97 nentries=0 Sep 17 19:18:16 papadoc slapd[26065]: conn=4 op=1 UNBIND Sep 17 19:18:37 papadoc tcplogd: ssh connection attempt from localhost [127.0.0.1] Sep 17 19:18:37 papadoc sshd[26165]: connect from 127.0.0.1 Sep 17 19:18:37 papadoc sshd[26165]: log: Connection from 127.0.0.1 port 1022 Sep 17 19:18:37 papadoc slapd[877]: conn=5 fd=7 connection from localhost (127.0.0.1) accepted. Sep 17 19:18:37 papadoc tcplogd: ldap connection attempt from localhost [127.0.0.1] Sep 17 19:18:37 papadoc slapd[26167]: conn=5 op=0 BIND dn="" method=128 Sep 17 19:18:37 papadoc slapd[26167]: conn=5 op=0 RESULT err=0 tag=97 nentries=0 Sep 17 19:18:37 papadoc slapd[26168]: conn=5 op=1 SRCH base="O=DONFRANSURBO,C=SE" scope=2 filter="(uid=TURBO)" Sep 17 19:18:37 papadoc slapd[877]: conn=5 op=-1 fd=7 closed errno=0 Sep 17 19:18:37 papadoc slapd[26168]: conn=5 op=1 RESULT err=0 tag=101 nentries=1 Sep 17 19:18:38 papadoc slapd[26172]: conn=5 op=2 UNBIND Sep 17 19:18:38 papadoc sshd[26165]: log: Wrong response to RSA authentication challenge. Sep 17 19:18:43 papadoc slapd[877]: conn=6 fd=7 connection from localhost (127.0.0.1) accepted. Sep 17 19:18:43 papadoc tcplogd: ldap connection attempt from localhost [127.0.0.1] Sep 17 19:18:44 papadoc slapd[26261]: conn=6 op=0 BIND dn="UID=TURBO,OU=PEOPLE,O=DONFRANSURBO,C=SE" method=128 Sep 17 19:18:44 papadoc sshd[26165]: fatal: Connection closed by remote host. Sep 17 19:18:44 papadoc slapd[26261]: conn=6 op=0 RESULT err=0 tag=97 nentries=0 Sep 17 19:18:44 papadoc slapd[877]: conn=6 op=-1 fd=7 closed errno=0 Sep 17 19:18:44 papadoc slapd[26263]: conn=6 op=1 UNBIND ----- s n i p ----- /etc/pam.d/ssh ----- s n i p ----- #%PAM-1.0 #[For version 1.0 syntax, the above header is optional] # # The PAM configuration file for the `sshd' service # auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so ----- s n i p ----- /etc/openldap/slapd.conf ----- s n i p ----- # This is the main ldapd configuration file. # Schema and objectClass definitions include /etc/openldap/slapd.at.conf include /etc/openldap/slapd.oc.conf # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck off # Where clients are refered to if no # match is found locally referral ldap://ldap.four11.com # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd.pid ####################################################################### # ldbm database definitions ####################################################################### # The backend type, ldbm, is the default standard database ldbm # The base of your directory suffix "o=DonFransUrbo, c=SE" # Where the database file are physically stored directory "/var/lib/openldap" # By default, only read access is allowed defaultaccess read # The userPassword by default can by changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry above access to attribute=userPassword by * none by self write access to * by dn="uid=turbo, ou=People, o=DonFransUrbo, c=SE" write # The admin dn has full write access access to * by dn="cn=admin,ou=People,o=DonFransUrbo,c=SE" write # End of ldapd configuration file ----- s n i p ----- Output from search ----- s n i p ----- [ssh.papadoc]$ ldapsearch -b 'o=DonFransUrbo, c=SE' 'uid=turbo' uid=turbo,ou=People,o=DonFransUrbo,c=SE uid=turbo cn=Turbo Fredriksson objectclass=top objectclass=account objectclass=posixAccount objectclass=shadowAccount shadowlastchange=10557 shadowmax=99999 shadowwarning=7 loginshell=/bin/bash uidnumber=2000 gidnumber=4 homedirectory=/home/operators/turbo gecos=Turbo Fredriksson ----- s n i p ----- What I don't like very much about the search, is that the userPassword can't be retrived: ----- s n i p ----- [ssh.papadoc]$ ldapsearch -b 'o=DonFransUrbo, c=SE' 'uid=turbo' userPassword uid=turbo,ou=People,o=DonFransUrbo,c=SE ----- s n i p ----- What am I missing? I've been checking the listarchive (Thread: 'nss_ldap, pam_ldap woes') but it seems that I've progressed a little futher, the password isn't returned... Sep 17 19:18:16 papadoc sshd[26031]: pam_ldap: ldap_simple_bind_s Invalid credentials I'd would very (!!) much appreciate any help in getting this to work (next problem will be to get kerberous to work/interact with this :) -- Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just ^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are / / | | '_ \| | | \ \/ / Debian Certified Linux Developer _ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se \\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden -- cryptographic bomb AK-47 KGB Serbian [Hello to all my fans in domestic surveillance] Qaddafi strategic class struggle Waco, Texas Noriega munitions terrorist Nazi Kennedy
Attachment:
pgpQS8FHQOHhn.pgp
Description: PGP signature