Re: [gentoo-user] Ldap authentication issues. - gentoo-user

From:	Daniel Troeder <daniel@×××××××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Ldap authentication issues.
Date:	Mon, 03 May 2010 11:47:44
Message-Id:	`4BDEB7B3.7070507@admin-box.com`
In Reply to:	[gentoo-user] Ldap authentication issues. by Indexer

1

On 05/03/2010 09:41 AM, Indexer wrote:

2

> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log

3

>

4

> May  4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1

5

>

6

> I can succesfully search the ldap with this user binding to the ldap

7

>

8

>  ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)'

9

> Enter LDAP Password:

10

> # extended LDIF

11

> #

12

> # LDAPv3

13

> # base <dc=chocolate,dc=lan> (default) with scope subtree

14

> # filter: (uid=william)

15

> # requesting: ALL

16

> #

17

>

18

> # william, Admin, chocolate.lan

19

> dn: uid=william,ou=Admin,dc=chocolate,dc=lan

20

> uid: william

21

> cn: william

22

> objectClass: account

23

> objectClass: posixAccount

24

> objectClass: shadowAccount

25

> objectClass: top

26

> loginShell: /bin/bash

27

> uidNumber: 10000

28

> gidNumber: 10000

29

> homeDirectory: /home/william

30

> userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE=

31

> gecos: William Brown,,,,

32

> description: William Brown

33

> shadowLastChange: 1

34

> shadowMax: 0

35

> shadowExpire: 0

36

>

37

> # search result

38

> search: 2

39

> result: 0 Success

40

>

41

> # numResponses: 2

42

> # numEntries: 1

43

>

44

> Slapd when trying to authenticate shows this.

45

>

46

> /usr/local/libexec/slapd -4 -d 256

47

>

48

> slapd starting

49

> conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389)

50

> conn=0 op=0 BIND dn="" method=128

51

> conn=0 op=0 RESULT tag=97 err=0 text=

52

> connection_input: conn=0 deferring operation: binding

53

> conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"

54

> conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber

55

> conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

56

> conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"

57

> conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber

58

> conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

59

> conn=0 fd=10 closed (connection lost)

60

> conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389)

61

> conn=1 op=0 BIND dn="" method=128

62

> conn=1 op=0 RESULT tag=97 err=0 text=

63

> connection_input: conn=1 deferring operation: binding

64

> conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"

65

> conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire

66

> <= bdb_equality_candidates: (uid) not indexed

67

> conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

68

> conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389)

69

> conn=2 op=0 BIND dn="" method=128

70

> conn=2 op=0 RESULT tag=97 err=0 text=

71

> connection_input: conn=2 deferring operation: binding

72

> conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"

73

> conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire

74

> <= bdb_equality_candidates: (uid) not indexed

75

> conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

76

> conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"

77

> conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire

78

> <= bdb_equality_candidates: (uid) not indexed

79

> conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

80

> conn=2 fd=12 closed (connection lost)

81

> conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389)

82

> conn=3 op=0 BIND dn="" method=128

83

> conn=3 op=0 RESULT tag=97 err=0 text=

84

> connection_input: conn=3 deferring operation: binding

85

> conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"

86

> conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire

87

> <= bdb_equality_candidates: (uid) not indexed

88

> conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

89

> conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"

90

> conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire

91

> <= bdb_equality_candidates: (uid) not indexed

92

> conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

93

> conn=3 fd=12 closed (connection lost)

94

> conn=1 fd=10 closed (connection lost)

95

>

96

>

97

> Here is my /etc/ldap.conf

98

> base dc=chocolate,dc=lan

99

> suffix dc=chocolate,dc=lan

100

> uri ldap://ldap.srv.chocolate.lan

101

> ldap_version 3

102

> rootbinddn cn=Manager,dc=chocolate,dc=lan

103

> scope one

104

> timelimit 3

105

> bind_timelimit 3

106

> bind_policy soft

107

> pam_filter objectclass=posixAccount

108

> pam_login_attribute uid

109

> pam_check_host_attr no

110

> pam_member_attribute memberuid

111

> pam_password exop

112

> nss_reconnect_tries 4                   # number of times to double the sleep time

113

> nss_reconnect_sleeptime 1               # initial sleep value

114

> nss_reconnect_maxsleeptime 16   # max sleep value to cap at

115

> nss_reconnect_maxconntries 2    # how many tries before sleeping

116

> nss_base_passwd         ou=Admin,dc=chocolate,dc=lan?one

117

> nss_base_passwd         ou=People,dc=chocolate,dc=lan?one

118

> nss_base_shadow         ou=Admin,dc=chocolate,dc=lan?one

119

> nss_base_shadow         ou=People,dc=chocolate,dc=lan?one

120

> nss_base_group          ou=Nemo,ou=Group,dc=chocolate,dc=lan?one

121

> nss_base_group          ou=Marvin,ou=Group,dc=chocolate,dc=lan?one

122

> ssl off

123

>

124

> Here is /etc/openldap/slapd.conf

125

>

126

> include         /usr/local/etc/openldap/schema/core.schema

127

> include         /usr/local/etc/openldap/schema/cosine.schema

128

> include          /usr/local/etc/openldap/schema/inetorgperson.schema

129

> include          /usr/local/etc/openldap/schema/nis.schema

130

> pidfile         /var/run/openldap/slapd.pid

131

> argsfile        /var/run/openldap/slapd.args

132

> modulepath      /usr/local/libexec/openldap

133

> moduleload      back_bdb

134

> access to attrs=userPassword

135

>         by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write

136

>         by anonymous auth

137

>         by self write

138

>         by * none

139

>  access to *

140

>         by self write

141

>         by users read

142

> database        bdb

143

> suffix          "dc=chocolate,dc=lan"

144

> rootdn          "cn=Manager,dc=chocolate,dc=lan"

145

> rootpw          {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm

146

> directory       /var/db/openldap-data

147

> index   objectClass     eq

148

> index   uid     eq

149

> password-hash {SSHA}

150

>

151

> Here is the /etc/openldap/ldap.conf from both the client and server

152

>

153

> BASE    dc=chocolate,dc=lan

154

> URI     ldap://ldap.srv.chocolate.lan

155

>

156

> Any help with this would be greatly appreciated

157

>

158

> William

159

>

160

>

161

I haven't set this up on gentoo, only on debian-server with

162

ubuntu-clients...

163

164

Does NSS work already? Do you see the LDAP users/group after the

165

passwd-users when you run

166

$ getent passwd

167

$ getent group

168

169

Assuming you have configured /etc/nsswitch.conf:

170

passwd:         compat ldap

171

group:          compat ldap

172

shadow:         compat ldap

173

("files ldap" is OK too.)

174

175

As long as that does not work, it doesn't make sense to continue to PAM.

176

177

Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see

178

if the password for cn=Manager,dc=chocolate,dc=lan in there does have

179

possibly problematic characters.

180

181

I need to use nscd on the clients.

182

183

BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for

184

User/Samba/DNS/DHCP/Mail management with LDAP. It's really good.

185

186

The most trickiest part of setting up LDAP-clients is always PAM :(

187

Fortunately for debian/ubuntu there are good guides. If you find out how

188

to do it with gentoo, that info would be appreciated (gentoo-wiki?).

189

190

Good luck,

191

Daniel

192

193

--

194

PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get

195

# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887

Gentoo Archives: gentoo-user

Attachments

Replies

1	On 05/03/2010 09:41 AM, Indexer wrote:
2	> I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
3	>
4	> May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
5	>
6	> I can succesfully search the ldap with this user binding to the ldap
7	>
8	> ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)'
9	> Enter LDAP Password:
10	> # extended LDIF
11	> #
12	> # LDAPv3
13	> # base <dc=chocolate,dc=lan> (default) with scope subtree
14	> # filter: (uid=william)
15	> # requesting: ALL
16	> #
17	>
18	> # william, Admin, chocolate.lan
19	> dn: uid=william,ou=Admin,dc=chocolate,dc=lan
20	> uid: william
21	> cn: william
22	> objectClass: account
23	> objectClass: posixAccount
24	> objectClass: shadowAccount
25	> objectClass: top
26	> loginShell: /bin/bash
27	> uidNumber: 10000
28	> gidNumber: 10000
29	> homeDirectory: /home/william
30	> userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE=
31	> gecos: William Brown,,,,
32	> description: William Brown
33	> shadowLastChange: 1
34	> shadowMax: 0
35	> shadowExpire: 0
36	>
37	> # search result
38	> search: 2
39	> result: 0 Success
40	>
41	> # numResponses: 2
42	> # numEntries: 1
43	>
44	> Slapd when trying to authenticate shows this.
45	>
46	> /usr/local/libexec/slapd -4 -d 256
47	>
48	> slapd starting
49	> conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389)
50	> conn=0 op=0 BIND dn="" method=128
51	> conn=0 op=0 RESULT tag=97 err=0 text=
52	> connection_input: conn=0 deferring operation: binding
53	> conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
54	> conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
55	> conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
56	> conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
57	> conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
58	> conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
59	> conn=0 fd=10 closed (connection lost)
60	> conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389)
61	> conn=1 op=0 BIND dn="" method=128
62	> conn=1 op=0 RESULT tag=97 err=0 text=
63	> connection_input: conn=1 deferring operation: binding
64	> conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
65	> conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
66	> <= bdb_equality_candidates: (uid) not indexed
67	> conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
68	> conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389)
69	> conn=2 op=0 BIND dn="" method=128
70	> conn=2 op=0 RESULT tag=97 err=0 text=
71	> connection_input: conn=2 deferring operation: binding
72	> conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
73	> conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
74	> <= bdb_equality_candidates: (uid) not indexed
75	> conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
76	> conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
77	> conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
78	> <= bdb_equality_candidates: (uid) not indexed
79	> conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
80	> conn=2 fd=12 closed (connection lost)
81	> conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389)
82	> conn=3 op=0 BIND dn="" method=128
83	> conn=3 op=0 RESULT tag=97 err=0 text=
84	> connection_input: conn=3 deferring operation: binding
85	> conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
86	> conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
87	> <= bdb_equality_candidates: (uid) not indexed
88	> conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
89	> conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
90	> conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
91	> <= bdb_equality_candidates: (uid) not indexed
92	> conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
93	> conn=3 fd=12 closed (connection lost)
94	> conn=1 fd=10 closed (connection lost)
95	>
96	>
97	> Here is my /etc/ldap.conf
98	> base dc=chocolate,dc=lan
99	> suffix dc=chocolate,dc=lan
100	> uri ldap://ldap.srv.chocolate.lan
101	> ldap_version 3
102	> rootbinddn cn=Manager,dc=chocolate,dc=lan
103	> scope one
104	> timelimit 3
105	> bind_timelimit 3
106	> bind_policy soft
107	> pam_filter objectclass=posixAccount
108	> pam_login_attribute uid
109	> pam_check_host_attr no
110	> pam_member_attribute memberuid
111	> pam_password exop
112	> nss_reconnect_tries 4 # number of times to double the sleep time
113	> nss_reconnect_sleeptime 1 # initial sleep value
114	> nss_reconnect_maxsleeptime 16 # max sleep value to cap at
115	> nss_reconnect_maxconntries 2 # how many tries before sleeping
116	> nss_base_passwd ou=Admin,dc=chocolate,dc=lan?one
117	> nss_base_passwd ou=People,dc=chocolate,dc=lan?one
118	> nss_base_shadow ou=Admin,dc=chocolate,dc=lan?one
119	> nss_base_shadow ou=People,dc=chocolate,dc=lan?one
120	> nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?one
121	> nss_base_group ou=Marvin,ou=Group,dc=chocolate,dc=lan?one
122	> ssl off
123	>
124	> Here is /etc/openldap/slapd.conf
125	>
126	> include /usr/local/etc/openldap/schema/core.schema
127	> include /usr/local/etc/openldap/schema/cosine.schema
128	> include /usr/local/etc/openldap/schema/inetorgperson.schema
129	> include /usr/local/etc/openldap/schema/nis.schema
130	> pidfile /var/run/openldap/slapd.pid
131	> argsfile /var/run/openldap/slapd.args
132	> modulepath /usr/local/libexec/openldap
133	> moduleload back_bdb
134	> access to attrs=userPassword
135	> by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
136	> by anonymous auth
137	> by self write
138	> by * none
139	> access to *
140	> by self write
141	> by users read
142	> database bdb
143	> suffix "dc=chocolate,dc=lan"
144	> rootdn "cn=Manager,dc=chocolate,dc=lan"
145	> rootpw {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm
146	> directory /var/db/openldap-data
147	> index objectClass eq
148	> index uid eq
149	> password-hash {SSHA}
150	>
151	> Here is the /etc/openldap/ldap.conf from both the client and server
152	>
153	> BASE dc=chocolate,dc=lan
154	> URI ldap://ldap.srv.chocolate.lan
155	>
156	> Any help with this would be greatly appreciated
157	>
158	> William
159	>
160	>
161	I haven't set this up on gentoo, only on debian-server with
162	ubuntu-clients...
163
164	Does NSS work already? Do you see the LDAP users/group after the
165	passwd-users when you run
166	$ getent passwd
167	$ getent group
168
169	Assuming you have configured /etc/nsswitch.conf:
170	passwd: compat ldap
171	group: compat ldap
172	shadow: compat ldap
173	("files ldap" is OK too.)
174
175	As long as that does not work, it doesn't make sense to continue to PAM.
176
177	Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see
178	if the password for cn=Manager,dc=chocolate,dc=lan in there does have
179	possibly problematic characters.
180
181	I need to use nscd on the clients.
182
183	BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for
184	User/Samba/DNS/DHCP/Mail management with LDAP. It's really good.
185
186	The most trickiest part of setting up LDAP-clients is always PAM :(
187	Fortunately for debian/ubuntu there are good guides. If you find out how
188	to do it with gentoo, that info would be appreciated (gentoo-wiki?).
189
190	Good luck,
191	Daniel
192
193	--
194	PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
195	# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887