[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssh with ldap authentication

Hi Tim/Rodney,

I have a question related to Rodney's question.  Hope that you or someone can help, it is greatly appreciated.
I tried to configure PAM for rlogin from Client machine which I expect to authenticate user credential on the LDAP Server.  It always fails.
I haven't configured security for SASL/TLS between Client/Server LDAP.  Do I need to configure SASL/TLS in order for PAM to work?

Regards,
Joe

Two Solaris 10 machines (SunFire T2000) are setup to be LDAP client and server.
Installed packages, downloaded from SunFreeWare.com:
openldap-2.4.32-sol10-sparc-local.gz
db-4.7.25.NC-sol10-sparc-local.gz
gcc-3.3.2-sol10-sparc-local.gz
libgcc-3.3-sol10-sparc-local.gz
libtool-2.4.2-sol10-sparc-local.gz
openssl-1.0.1c-sol10-sparc-local.gz
sasl-2.1.25-sol10-sparc-local.gz

From Client LDAP, I am able to add users to Server LDAP, and ldapwhoami execution is also successful.

apggd04dev# ldapwhoami -H ldap://apggd06dev.pg.dtveng.net -x -W -D uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Enter LDAP Password:
dn:uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net

Configuration Changes:
- /etc/pam.conf:
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth binding            pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1 debug

- /etc/nsswitch.conf:
passwd:         files ldap
group:          files ldap
shadow:         files ldap

Errors from /var/log/pamlog:
Mar  5 08:56:15 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar  5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar  5 08:56:20 apggd04dev last message repeated 1 time
Mar  5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar  5 08:56:20 apggd04dev login: [ID 219349 auth.debug] pam_unix_auth: user jkly not found
Mar  5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar  5 08:56:20 apggd04dev login: [ID 285619 auth.debug] ldap pam_sm_authenticate(rlogin jkly), flags = 0
Mar  5 08:56:20 apggd04dev login: [ID 293258 auth.warning] libsldap: Status: 2  Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
Mar  5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error Error in underlying service module
Mar  5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar  5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar  5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:ruser)
Mar  5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user_prompt)
Mar  5 08:56:24 apggd04dev login: [ID 601877 auth.debug] PAM[3257]: pam_authenticate(296b0, 0)
Mar  5 08:56:24 apggd04dev login: [ID 407395 auth.debug] PAM[3257]: load_modules(296b0, pam_sm_authenticate)=/usr/lib/security/pam_rhosts_auth.so.1
Mar  5 08:56:24 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar  5 08:56:24 apggd04dev login: [ID 386855 auth.debug] PAM[3257]: pam_get_user(296b0, 0, NULL)





From: Tim Watts <tw@dionic.net>
To: openldap-technical@openldap.org
Sent: Tuesday, March 5, 2013 11:49 AM
Subject: Re: ssh with ldap authentication

On 05/03/13 19:16, Rodney Simioni wrote:
> Hi,
>
> Iâm new to LDAP.  I just created a new user in LDAP and it cannot login
> through ssh. It keeps prompting for the password. Any help will be
> greatly appreciated.

Hi Rodney,

There are a million ways ssh auth can fail - bad sshd_config, bad PAM config, bad LDAP client config, LDAP server side problem.

Best to try to test the LDAP authentication first.

can you try something like (on one line)


ldapwhoami -H ldap://your.ldap.server -x -W -D uid=dude12,ou=people,dc=wh,dc=local

Enter the password when prompted and if it replies with

dn:uid=dude12,ou=people,dc=wh,dc=local

Then that bit works...

Then see if

getent passwd

on the client returns a list of uses with dude12 in.

Then post your pam configs and pam_ldap.conf and libnss_ldap.conf (or equivalent according to distro).

-- Tim Watts
Personal Blog:                          http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage