[Date Prev][Date Next] [Chronological] [Thread] [Top]

pam_ldap v99, OpenLDAP v2.0.9 and SASL/Kerberos



[Sorry about the cross post, but I'm uncertain that this is a PAM/LDAP
 issue alone. If answering me on the pamldap list, please Cc me, because
 I am not yet subscribed to this list. I'm still waiting for approval.]

I'm trying to get my test installation of OpenLDAP2 and PAM/LDAP
(in a CHROOT) to get the passwords from a KerberosV KDC but all
the rest of the information (homedirectory, [ug]idnumber etc)
from my LDAP server. Outside the chroot I have a functioning
OpenLDAP1/KerberosV installation working.


These are the sofware I'm running outside the chroot:
        Debian GNU/Linux        Potato (stable)
        OpenLDAP1               1.2.11
        KerberosV KDC           1.2.2
        libpam-ldap             43
        libnss-ldap             122

        -> As said, this  works like a charm. Kinit,  ksu, ktelnet etc
           works.    I  can   use  libpam-ldap   and   libpam-krb5  to
           authenticate with the password  either from kerberos or the
           LDAP database on all services (ssh/login/ftp/wdm etc).  The
           password is stored with {crypt} in the LDAP db.
           
In the chroot, this is the software I'm running:
        Debian GNU/Linux        Sid (unstable)
        OpenLDAP2               2.0.9 (with SASL support etc)
        Cyrus SASL              1.5.24
        libpam-ldap             99
        libnss-ldap             140

Outside the chroot, I have  the following line in my /etc/inittab file
(/mnt/rescue is where my chroot is located):
----- s n i p -----
10:23:respawn:sh -c 'cd /mnt/rescue ; chroot . /sbin/getty 38400 tty10'
----- s n i p -----


[The following are information from the chroot]

The LDAP server is running on  port 3389 and ldaps:///, and is compiled
with the following options (amongst others):

        --with-tls
        --enable-kpasswd
        --enable-spasswd

I have the following attribute/value in the LDAP database:

        dn: uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
        userPassword:: e1NBU0x9dHVyYm8=

That 'e1NBU0x9dHVyYm8=' is supposed to be '{SASL}turbo'... Why is it
base64 (I assume) encoded?

The rest of the database are a dump from the function server outside
the chroot (only the 'userPassword' attribute have been changed).

This is the pam config file for login (same as the one outside the chroot):
----- s n i p -----
auth		required	pam_nologin.so
auth		sufficient	pam_krb5.so
auth		sufficient	pam_ldap.so
auth		required	pam_unix.so try_first_pass shadow
auth		required	pam_env.so
auth		required	pam_issue.so issue=/etc/issue.net

account		sufficient	pam_krb5.so
account		sufficient	pam_ldap.so
account		required	pam_unix.so try_first_pass shadow

password	sufficient	pam_krb5.so
password	required	pam_ldap.so md5
session		required	pam_unix.so
session		optional	pam_lastlog.so
session		optional	pam_motd.so
session		optional	pam_mail.so standard noenv
session		required	pam_mkhomedir.so skel=/etc/skel/
----- s n i p -----

This is the configuration from /etc/pam_ldap.conf:
----- s n i p -----
host 127.0.0.1
base dc=com
port 3389
----- s n i p -----

The same information is also in /etc/libnss-ldap.conf and
the OpenLDAP config files (/etc/ldap/ldap.conf).

The /etc/nssswitch file:
----- s n i p -----
passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files dns ldap
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis
----- s n i p -----


When trying to login as 'turbo', I get this:
----- s n i p -----
CHROOT:/etc/init.d# /bin/login 
login: turbo
Password for turbo@BAYOUR.COM: 
LDAP Password: 
Login incorrect
----- s n i p -----

and in the syslog:
----- s n i p -----
Mar 14 17:45:37 {HOSTNAME} tcplogd: port 3389 connection attempt from {FQDN} [{IPADDRES}]
Mar 14 17:45:44 {HOSTNAME} tcplogd: port 3389 connection attempt from localhost [127.0.0.1]
----- s n i p -----

Entering either the LDAP password OR the KDC password at the 'LDAP Password' prompt
does no difference... I have also tried using 'userPassword: turbo@MY.REALM' in
the database. No change.

Doing the same thing outside the chroot (as root) works fine. It will accept my
Kerberos password...

To verify that I can't find any obvious problems with the chroot configuration,
this is what i did:
----- s n i p -----
CHROOT:/etc/init.d# kinit turbo@MY.REALM
Password for turbo@MY.REALM: 
 [=> klist shows that I have a krbtgt ticket]
CHROOT:/etc/init.d# ldapsearch -U turbo -H ldaps:/// uid=turbo
 [=> will show me the full object of 'turbo', verified by double
     checking by binding with the BindDN as usual]
----- s n i p -----

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

terrorist assassination NORAD KGB North Korea domestic disruption
toluene killed Honduras Khaddafi FBI Saddam Hussein 767 Delta Force
tritium
[See http://www.aclu.org/echelonwatch/index.html for more about this]