On 05/03/2010 09:41 AM, Indexer wrote: > I am currently trying to make a ldap server which i can use to authenticate > users. Sadly a large number of how to's are incomplete and don't work, so > after reading alot of how to's and manuals I have got 99.9% of the way. On > attempting to authenticate a user it denies the user access with a error from > auth.log > > May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william > from 172.20.0.1 > > I can succesfully search the ldap with this user binding to the ldap > > ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W > '(uid=william)' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=chocolate,dc=lan> (default) with scope subtree > # filter: (uid=william) > # requesting: ALL > # > > # william, Admin, chocolate.lan > dn: uid=william,ou=Admin,dc=chocolate,dc=lan > uid: william > cn: william > objectClass: account > objectClass: posixAccount > objectClass: shadowAccount > objectClass: top > loginShell: /bin/bash > uidNumber: 10000 > gidNumber: 10000 > homeDirectory: /home/william > userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE= > gecos: William Brown,,,, > description: William Brown > shadowLastChange: 1 > shadowMax: 0 > shadowExpire: 0 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > Slapd when trying to authenticate shows this. > > /usr/local/libexec/slapd -4 -d 256 > > slapd starting > conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389) > conn=0 op=0 BIND dn="" method=128 > conn=0 op=0 RESULT tag=97 err=0 text= > connection_input: conn=0 deferring operation: binding > conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 > filter="(&(objectClass=posixGroup))" > conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber > conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 > deref=0 filter="(&(objectClass=posixGroup))" > conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber > conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= > conn=0 fd=10 closed (connection lost) > conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389) > conn=1 op=0 BIND dn="" method=128 > conn=1 op=0 RESULT tag=97 err=0 text= > connection_input: conn=1 deferring operation: binding > conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 > filter="(&(objectClass=posixAccount)(uid=william))" > conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory > loginShell gecos description objectClass shadowLastChange shadowMax > shadowExpire > <= bdb_equality_candidates: (uid) not indexed > conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389) > conn=2 op=0 BIND dn="" method=128 > conn=2 op=0 RESULT tag=97 err=0 text= > connection_input: conn=2 deferring operation: binding > conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 > filter="(&(objectClass=posixAccount)(uid=william))" > conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory > loginShell gecos description objectClass shadowLastChange shadowMax > shadowExpire > <= bdb_equality_candidates: (uid) not indexed > conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 > filter="(&(objectClass=posixAccount)(uid=william))" > conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory > loginShell gecos description objectClass shadowLastChange shadowMax > shadowExpire > <= bdb_equality_candidates: (uid) not indexed > conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=2 fd=12 closed (connection lost) > conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389) > conn=3 op=0 BIND dn="" method=128 > conn=3 op=0 RESULT tag=97 err=0 text= > connection_input: conn=3 deferring operation: binding > conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 > filter="(&(objectClass=posixAccount)(uid=william))" > conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory > loginShell gecos description objectClass shadowLastChange shadowMax > shadowExpire > <= bdb_equality_candidates: (uid) not indexed > conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 > filter="(&(objectClass=posixAccount)(uid=william))" > conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory > loginShell gecos description objectClass shadowLastChange shadowMax > shadowExpire > <= bdb_equality_candidates: (uid) not indexed > conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=3 fd=12 closed (connection lost) > conn=1 fd=10 closed (connection lost) > > > Here is my /etc/ldap.conf > base dc=chocolate,dc=lan > suffix dc=chocolate,dc=lan > uri ldap://ldap.srv.chocolate.lan > ldap_version 3 > rootbinddn cn=Manager,dc=chocolate,dc=lan > scope one > timelimit 3 > bind_timelimit 3 > bind_policy soft > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_check_host_attr no > pam_member_attribute memberuid > pam_password exop > nss_reconnect_tries 4 # number of times to double the sleep > time > nss_reconnect_sleeptime 1 # initial sleep value > nss_reconnect_maxsleeptime 16 # max sleep value to cap at > nss_reconnect_maxconntries 2 # how many tries before sleeping > nss_base_passwd ou=Admin,dc=chocolate,dc=lan?one > nss_base_passwd ou=People,dc=chocolate,dc=lan?one > nss_base_shadow ou=Admin,dc=chocolate,dc=lan?one > nss_base_shadow ou=People,dc=chocolate,dc=lan?one > nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?one > nss_base_group ou=Marvin,ou=Group,dc=chocolate,dc=lan?one > ssl off > > Here is /etc/openldap/slapd.conf > > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > include /usr/local/etc/openldap/schema/nis.schema > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > modulepath /usr/local/libexec/openldap > moduleload back_bdb > access to attrs=userPassword > by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write > by anonymous auth > by self write > by * none > access to * > by self write > by users read > database bdb > suffix "dc=chocolate,dc=lan" > rootdn "cn=Manager,dc=chocolate,dc=lan" > rootpw {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm > directory /var/db/openldap-data > index objectClass eq > index uid eq > password-hash {SSHA} > > Here is the /etc/openldap/ldap.conf from both the client and server > > BASE dc=chocolate,dc=lan > URI ldap://ldap.srv.chocolate.lan > > Any help with this would be greatly appreciated > > William > > I haven't set this up on gentoo, only on debian-server with ubuntu-clients...
Does NSS work already? Do you see the LDAP users/group after the
passwd-users when you run
$ getent passwd
$ getent group
Assuming you have configured /etc/nsswitch.conf:
passwd: compat ldap
group: compat ldap
shadow: compat ldap
("files ldap" is OK too.)
As long as that does not work, it doesn't make sense to continue to PAM.
Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see
if the password for cn=Manager,dc=chocolate,dc=lan in there does have
possibly problematic characters.
I need to use nscd on the clients.
BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for
User/Samba/DNS/DHCP/Mail management with LDAP. It's really good.
The most trickiest part of setting up LDAP-clients is always PAM :(
Fortunately for debian/ubuntu there are good guides. If you find out how
to do it with gentoo, that info would be appreciated (gentoo-wiki?).
Good luck,
Daniel
--
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887
signature.asc
Description: OpenPGP digital signature
