[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
test my LDAP server ONLY using ssh?
Can I do this?
I have OpenLDAP 2.1.12 built from source on a Redhat 7.3 box. I also
installed pam_ldap and nss_ldap from source.
I know things are working to some extent, because I was able to
successfully lock everyone out of the box by specifying 'ldap' in the
proper places in my nsswitch file :-P
What I'd like to do now is test by pointing ONLY ssh at the ldap server,
so that if things don't work I can get in by some other means - and the
console if necessary.
I've edited my /etc/pam.d/sshd (it's gone through several iterations)
file so it looks like this (right now):
auth required /lib/security/pam_nologin.so
auth required /opt/local/lib/security/pam_ldap.so
#auth required /lib/security/pam_pwdb.so shadow nodelay
account required /opt/local/lib/security/pam_ldap.so
#account required /lib/security/pam_pwdb.so
password required /opt/local/lib/pam_ldap.so
password required /lib/security/pam_cracklib.so
#password required /lib/security/pam_pwdb.so shadow nullok
use_authtok
#session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
#session required /lib/security/pam_pwdb.so
session required /lib/security/pam_ldap.so
And my /etc/ldap.conf file just has the 'host' and 'base' designations
in it. Here's the log output from the last test I performed - I've put
line breaks between the log entries for easier reading:
Jan 22 15:33:47 current slapd[4072]: conn=29 fd=14 ACCEPT from
IP=128.112.6.64:39097 (IP=0.0.0.0:389)
Jan 22 15:33:47 current slapd[4074]: conn=29 op=0 BIND dn="" method=128
Jan 22 15:33:47 current slapd[4074]: conn=29 op=0 RESULT tag=97 err=0
text=
Jan 22 15:33:47 current slapd[4085]: conn=29 op=1 SRCH
base="dc=my,dc=domain,dc=com" scope=2
filter="(&(objectClass=posixAccount)(uid=jonesy))"
Jan 22 15:33:47 current slapd[4085]: <= bdb_equality_candidates:
index_param failed (18)
Jan 22 15:33:47 current slapd[4085]: conn=29 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan 22 15:33:47 current slapd[4074]: conn=29 op=2 SRCH
base="dc=my,dc=domain,dc=com" scope=2
filter="(&(objectClass=shadowAccount)(uid=jonesy))"
Jan 22 15:33:47 current slapd[4074]: <= bdb_equality_candidates:
index_param failed (18)
Jan 22 15:33:47 current slapd[4074]: conn=29 op=2 SEARCH RESULT tag=101
err=0 nentries=0 text=
Jan 22 15:33:57 current slapd[4085]: conn=29 op=3 SRCH
base="dc=my,dc=domain,dc=com" scope=2
filter="(&(objectClass=shadowAccount)(uid=jonesy))"
Jan 22 15:33:57 current slapd[4085]: <= bdb_equality_candidates:
index_param failed (18)
Jan 22 15:33:57 current slapd[4085]: conn=29 op=3 SEARCH RESULT tag=101
err=0 nentries=0 text=
Jan 22 15:34:04 current slapd[4074]: conn=29 op=4 SRCH
base="dc=my,dc=domain,dc=com" scope=2
filter="(&(objectClass=shadowAccount)(uid=jonesy))"
Jan 22 15:34:04 current slapd[4074]: <= bdb_equality_candidates:
index_param failed (18)
Jan 22 15:34:04 current slapd[4074]: conn=29 op=4 SEARCH RESULT tag=101
err=0 nentries=0 text=
Jan 22 15:34:07 current slapd[4072]: conn=29 fd=14 closed
Here's the entry for the user I'm trying to log in as. Curiously,
there's no 'shadowAccount' objectClass. Is this necessary? I also
notice it's looking for 'posixAccount' first, which is here.
dn: uid=jonesy,ou=People,dc=my,dc=domain,dc=com
uid: jonesy
cn: Brian K. Jones
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 3025
gidNumber: 22
homeDirectory: /home/jonesy
gecos: My gecos field
userPassword:: e1NNRDV....
Thanks for any advice here.