[Date Prev][Date Next] [Chronological] [Thread] [Top]

authentication question

To: openldap-software@OpenLDAP.org
Subject: authentication question
From: Brent Kearney <brent@kearneys.ca>
Date: Tue, 17 Jun 2003 23:07:46 -0700
Content-disposition: inline
User-agent: Mutt/1.4i

Hello,

I've setup a gentoo linux system for ldap authentication, and it is
semi-functional.  Perhaps you can spot where my configuration error 
might be wrong.  I suspect its something wrong with my PAM setup.

I have my user account in both /etc/passwd and in ldap.  The passwords 
are different.  I can bind to the ldap server and do searches, and if 
I remove myself from /etc/passwd, my username still appears as the 
owner of my files when I do an `ls -l`, instead of just the uid.  I'm 
running slapd in debug mode 256 so I can see that it is indeed doing
searches when I `ls -l`.

Here's my /etc/pam.d/sshd:

auth       required     pam_shells.so
auth       required     pam_nologin.so
auth       sufficient   pam_ldap.so
auth       required     pam_stack.so service=system-auth
account    sufficient   pam_ldap.so
account    required     pam_stack.so service=system-auth
password   sufficient   pam_ldap.so
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

Now, with my account in both places, when I SSH in, I can type in my 
LDAP password, and it authenticates and grants me access.  If I 
remove my account from /etc/passwd, it will not authenticate.  It 
seems like SSH/pam_ldap isn't giving the username to LDAP in the
latter case.

When my account is in /etc/passwd, slapd outpus this when I connect
via ssh:

conn=505 op=0 BIND dn="CN=MANAGER,DC=KEARNEYS,DC=CA" method=128
ber_flush: 14 bytes to sd 16
conn=505 op=0 RESULT tag=97 err=0 text=

conn=505 op=1 SRCH base="ou=people,dc=kearneys,dc=ca" scope=1
filter="(&(objectClass=posixAccount)(uid=brent))"

ber_flush: 668 bytes to sd 16
ber_flush: 14 bytes to sd 16
conn=505 op=1 SEARCH RESULT tag=101 err=0 text=
conn=505 op=2 BIND dn="CN=MANAGER,DC=KEARNEYS,DC=CA" method=128
ber_flush: 14 bytes to sd 16
conn=505 op=2 RESULT tag=97 err=0 text=
conn=505 op=3 BIND dn="CN=MANAGER,DC=KEARNEYS,DC=CA" method=128
ber_flush: 14 bytes to sd 16
conn=505 op=3 RESULT tag=97 err=0 text=
daemon: conn=506 fd=17 connection from IP=127.0.0.1:45968
(IP=0.0.0.0:389) accepted.

If I remove my account from /etc/passwd, it does this instead:

conn=515 op=0 BIND dn="CN=MANAGER,DC=KEARNEYS,DC=CA" method=128
ber_flush: 14 bytes to sd 16
conn=515 op=0 RESULT tag=97 err=0 text=

conn=515 op=1 SRCH base="ou=people,dc=kearneys,dc=ca" scope=1
filter="(&(objectClass=posixAccount)(uid=NOUSER))"

ber_flush: 14 bytes to sd 16
conn=515 op=1 SEARCH RESULT tag=101 err=0 text=
conn=515 op=2 BIND dn="CN=MANAGER,DC=KEARNEYS,DC=CA" method=128
ber_flush: 14 bytes to sd 16
conn=515 op=2 RESULT tag=97 err=0 text=
conn=515 op=3 SRCH base="ou=people,dc=kearneys,dc=ca" scope=1
filter="(&(objectClass=posixAccount)(uid=NOUSER))"
ber_flush: 14 bytes to sd 16
conn=515 op=3 SEARCH RESULT tag=101 err=0 text=
daemon: conn=516 fd=22 connection from IP=127.0.0.1:45984
(IP=0.0.0.0:389) accepted.
conn=516 op=0 BIND dn="CN=MANAGER,DC=KEARNEYS,DC=CA" method=128
ber_flush: 14 bytes to sd 22

The search filter has become '(uid=NOUSER)', and authentication
no longer works.

Ideas?


Many thanks,

Brent


--
http://oss.netmojo.ca/

Prev by Date: Re: about userCertificate
Next by Date: too many open files?
Index(es):
- Chronological
- Thread