[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Getting ldappasswd and PAM in the same page under CentOS 7
OK, I fixed the ACLs (I think), but it is still not working. I turned on
verbose debugging for sssd[pam] and moderate debugging for slapd.
Here are my ACLs in /etc/openldap/slapd.d/cn\=config/olcDatabase\={2}hdb.ldif:
olcAccess: {0}to attrs=userPassword
by self write
by anonymous auth
by dn=uid=heller,ou=People,dc=deepsoft,dc=com write
by * none
olcAccess: {1}to *
by dn=uid=heller,ou=People,dc=deepsoft,dc=com write
by * read
There are also these olcAccess entries:
in /etc/openldap/slapd.d/cn\=config/olcDatabase\={0}config.ldif:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" manage by * none
and in /etc/openldap/slapd.d/cn\=config/olcDatabase\={1}monitor.ldif:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=deepsoft,dc=com" read by * none
Here is sssd.conf:
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=deepsoft,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.250.98/
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_id_use_start_tls = false
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
debug_level = 0x7770
ldap_id_use_start_tls = false
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
Here is the log output from /var/log/sssd/sssd_pam.log:
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: pcp
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/default/pcp@default]
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): User [pcp] not found in PAM cache.
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff2478e9030:3:pcp@default@default]
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [default][0x3][BE_REQ_INITGROUPS][1][name=pcp@default:-]
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x7ff248b52b10
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff2478e9030:3:pcp@default@default]
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x7ff248b52b10
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x7ff248b435b0
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [pcp@default]
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7ff248b55910
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7ff248b559d0
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [ldb] (0x4000): Running timer event 0x7ff248b55910 "ltdb_callback"
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x7ff248b559d0 "ltdb_timeout"
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x7ff248b55910 "ltdb_callback"
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/default/pcp] to negative cache
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10]: User not known to the underlying authentication module.
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 8
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff2478e9030:3:pcp@default@default]
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7ff248b499d0][23]
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7ff248b499d0][23]
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [client_close_fn] (0x2000): Terminated client [0x7ff248b499d0][23]
and from slapd
â?? slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-09-20 10:02:58 EDT; 2h 25min ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 26003 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 25964 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 26005 (slapd)
CGroup: /system.slice/slapd.service
â??â??26005 /usr/sbin/slapd -u ldap -h ldapi:/// ldap://127.0.0.1/ ldap://192.168.250.98/
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: <= bdb_equality_candidates: (uid) not indexed
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=3 SRCH base="dc=deepsoft,dc=com" scope=2 deref=0 filter="(&(uid=pcp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=3 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey mail
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: <= bdb_equality_candidates: (uid) not indexed
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=4 SRCH base="dc=deepsoft,dc=com" scope=2 deref=0 filter="(&(uid=pcp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=4 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey mail
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: <= bdb_equality_candidates: (uid) not indexed
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
At this point I am totally stuck.
At Robert Heller <heller@deepsoft.com> wrote:
>
> At Wed, 20 Sep 2017 09:09:23 +0200 =?UTF-8?Q?Cl=c3=a9ment_OUDOT?= <clement.oudot@savoirfairelinux.com> wrote:
>
> >
> >
> >
> > Le 19/09/2017 =C3=A0 18:45, Robert Heller a =C3=A9crit :
> > > I am having a hard time setting a user password using ldap (OpenLDAP
> > > 2.4.40-13.el7) on a CentOS 7 system.
> > >
> > > I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and clie=
> > nt),
> > > nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have
> > > created a user in the ldap database, and getent works just fine -- the =
> > uid and
> > > gid are seen, etc. But I cannot set the user's password in a way that w=
> > orks
> > > for su (and presumably login/slogin, etc.). I am using ldappasswd to s=
> > et the
> > > user's password.
> > >
> > > I am thinking that PAM and ldappasswd are using *different* oneway encr=
> > yption
> > > methods and I am guessing I need to update a configuration somewhere (e=
> > ither
> > > for pam, sssd, or nslcd), but I am not finding it.
> >
> > PAM is an LDAP client so does not read the password, it just sends BIND=20
> > requests and OpenLDAP server then check the passsword by using the=20
> > hashing method corresponding to the current password value.
> >
> > Can you check in your server ACLs (olcAccess parameter) that anonymous=20
> > users have the 'auth' right on userPassword attribute?
>
> OK, I will check...
>
> >
> > --=20
> > Cl=C3=A9ment OUDOT
> > Consultant en logiciels libres, Expert infrastructure et s=C3=A9curit=C3=A9
> > Savoir-faire Linux
> > 137 boulevard de Magenta - 75010 PARIS
> > Blog: http://sflx.ca/coudot
> >
> >
> >
>
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services