Re: [gentoo-user] ldap client authentication
I've enabled compile-time debug flags, to no avail. I did some troubleshooting for several hours last night and discovered something interesting -- the LDAP server is responding with a SUCCESS message to the bind request, but PAM (for whatever reason) is still denying my login request. Here's the output of a sniffer capture between the client and the LDAP server: bindResponse resultCode: success (0) The /var/log/auth.log file indicates the following: == auth.log == Nov 3 06:24:00 s_dg...@auth.whatever.com sshd[11393]: error: PAM: Authentication failure for illegal user tb from 10.9.3.153 Nov 3 06:24:00 s_dg...@auth.whatever.com sshd[11393]: Failed keyboard-interactive/pam for invalid user tb from 10.9.3.153 port 56665 ssh2 Nov 3 06:24:00 s_dg...@auth.whatever.com sshd[11396]: pam_tally2(sshd:auth): pam_get_uid; no such user My /etc/pam.d/system-auth file is pretty much verbatim what is listed here: http://www.gentoo.org/doc/en/ldap-howto.xml Also, my /etc/nsswitch.conf file has files and ldap in the appropriate places. passwd: files ldap shadow: files ldap group: files ldap Thoughts would be greatly appreciated -- I'm almost there! I just need to figure out why PAM isn't playing nice with LDAP authentication. -james I'm so close I can taste it. :) Any thoughts or ideas on how to fix this would be greatly appreciated. On Fri, Nov 5, 2010 at 20:06, Ward Poelmans wpoel...@gmail.com wrote: On Fri, Nov 5, 2010 at 20:46, James j...@nc.rr.com wrote: The logdir is filled with empty files that, in the name of the file, has the pid of the pam process. However, these files are empty and they do not have anything in them. Thoughts? Try putting the compile time debugging options on? Ward
Re: [gentoo-user] ldap client authentication
On Fri, Nov 5, 2010 at 05:44, James j...@nc.rr.com wrote: Things just got more interesting. I just copied my /etc/ldap.conf file over from my Gentoo box to an Ubuntu box -- it works without a single hitch. I'm about to rip my hair out here...any ideas on where I can start troubleshooting this? Put logging of PAM to the max and start looking in your pam logs. Your ldap seems fine. Ward
Re: [gentoo-user] ldap client authentication
It seems that the LDAP is failing to work, as well, in CentOS 5 -- same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu. What's the best way to star troubleshooting this from a PAM perspective? I have a debug line set at the bottom of the ldap.conf file, but that doesn't seem to be giving me enough information. Also, I've set 'debug' at the end of every line in my /etc/pam.d/system-auth file, to no avail. Nothing is showing up in /var/log/debug -- PAM indicates that the 'debug' keyword sends messages to syslog for processing. Thoughts / ideas would be greatly appreciated. Thanks! -james On Fri, Nov 5, 2010 at 06:22, Ward Poelmans wpoel...@gmail.com wrote: On Fri, Nov 5, 2010 at 05:44, James j...@nc.rr.com wrote: Things just got more interesting. I just copied my /etc/ldap.conf file over from my Gentoo box to an Ubuntu box -- it works without a single hitch. I'm about to rip my hair out here...any ideas on where I can start troubleshooting this? Put logging of PAM to the max and start looking in your pam logs. Your ldap seems fine. Ward
Re: [gentoo-user] ldap client authentication
On Fri, Nov 5, 2010 at 17:41, James j...@nc.rr.com wrote: It seems that the LDAP is failing to work, as well, in CentOS 5 -- same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu. What's the best way to star troubleshooting this from a PAM perspective? I have a debug line set at the bottom of the ldap.conf file, but that doesn't seem to be giving me enough information. Also, I've set 'debug' at the end of every line in my /etc/pam.d/system-auth file, to no avail. Nothing is showing up in /var/log/debug -- PAM indicates that the 'debug' keyword sends messages to syslog for processing. adding the debug keyword to the pam module doesn't do anything but in ldap.conf: logdir directory Specifies the directory used for logging by the LDAP client library. This feature is not supported by all client libraries. debug level Specifies the debug level used for logging by the LDAP client library. This feature is not supported by all client libraries, and does not apply to the nss_ldap and pam_ldap modules themselves (debugging, if any, is configured separately and usually at compile time). Ward
Re: [gentoo-user] ldap client authentication
Yes, I have both of these options enabled: logdir somedir debug 256 The logdir is filled with empty files that, in the name of the file, has the pid of the pam process. However, these files are empty and they do not have anything in them. Thoughts? -james On Fri, Nov 5, 2010 at 12:49, Ward Poelmans wpoel...@gmail.com wrote: On Fri, Nov 5, 2010 at 17:41, James j...@nc.rr.com wrote: It seems that the LDAP is failing to work, as well, in CentOS 5 -- same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu. What's the best way to star troubleshooting this from a PAM perspective? I have a debug line set at the bottom of the ldap.conf file, but that doesn't seem to be giving me enough information. Also, I've set 'debug' at the end of every line in my /etc/pam.d/system-auth file, to no avail. Nothing is showing up in /var/log/debug -- PAM indicates that the 'debug' keyword sends messages to syslog for processing. adding the debug keyword to the pam module doesn't do anything but in ldap.conf: logdir directory Specifies the directory used for logging by the LDAP client library. This feature is not supported by all client libraries. debug level Specifies the debug level used for logging by the LDAP client library. This feature is not supported by all client libraries, and does not apply to the nss_ldap and pam_ldap modules themselves (debugging, if any, is configured separately and usually at compile time). Ward
Re: [gentoo-user] ldap client authentication
On Fri, Nov 5, 2010 at 20:46, James j...@nc.rr.com wrote: The logdir is filled with empty files that, in the name of the file, has the pid of the pam process. However, these files are empty and they do not have anything in them. Thoughts? Try putting the compile time debugging options on? Ward
Re: [gentoo-user] ldap client authentication
Bump -- any ideas? In a tough spot right now trying to wrap this LDAP project up and I'm stuck. :( -james On Wed, Nov 3, 2010 at 15:26, James j...@nc.rr.com wrote: Straight from the Gentoo + LDAP page. # pam ldap stuff auth sufficient pam_ldap.so use_first_pass account sufficient pam_ldap.so password sufficient pam_ldap.so use_authtok use_first_pass session optional pam_ldap.so -james On Wed, Nov 3, 2010 at 15:13, Stroller strol...@stellar.eclipse.co.uk wrote: On 3/11/2010, at 4:25pm, James wrote: ... I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress. Here's the rundown of how things are configured (fairly straight forward): ... == auth.log == Nov 3 06:26:03 s_dg...@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com You've shown us all about your LDAP configuration, but nothing about your PAM configuration, or whether sshd or IMAP are configured to use PAM. Stroller.
Re: [gentoo-user] ldap client authentication
On Fri, Nov 5, 2010 at 2:51 AM, James j...@nc.rr.com wrote: Bump -- any ideas? In a tough spot right now trying to wrap this LDAP project up and I'm stuck. :( -james You seem to be using ldap sometimes and ldaps other times in your configs. Suggest you try getting everything working with ldap first, then convert everything to ldaps (to get SSL working) once you have the application layer sorted.
Re: [gentoo-user] ldap client authentication
LDAP and LDAPS work fine -- as I indicated, the ldapsearch queries work without any issues. Thus the issue is, more or less, related directly to PAM and LDAP together. At some point during troubleshooting I switched to LDAP simply so that I could sniff the packets going across the wire and see what was going on. This is purely a pam_ldap configuration problem as far as I can tell. Any thoughts on how to go about troubleshooting this would be greatly appreciated. -james On Thu, Nov 4, 2010 at 17:58, Adam Carter adamcart...@gmail.com wrote: You seem to be using ldap sometimes and ldaps other times in your configs. Suggest you try getting everything working with ldap first, then convert everything to ldaps (to get SSL working) once you have the application layer sorted.
Re: [gentoo-user] ldap client authentication
Things just got more interesting. I just copied my /etc/ldap.conf file over from my Gentoo box to an Ubuntu box -- it works without a single hitch. I'm about to rip my hair out here...any ideas on where I can start troubleshooting this? - openssh versions are very similar - newer nss_ldap on gentoo - newer pam_ldap on gentoo Thoughts would be greatly appreciated. -james On Thu, Nov 4, 2010 at 23:48, James j...@nc.rr.com wrote: LDAP and LDAPS work fine -- as I indicated, the ldapsearch queries work without any issues. Thus the issue is, more or less, related directly to PAM and LDAP together. At some point during troubleshooting I switched to LDAP simply so that I could sniff the packets going across the wire and see what was going on. This is purely a pam_ldap configuration problem as far as I can tell. Any thoughts on how to go about troubleshooting this would be greatly appreciated. -james On Thu, Nov 4, 2010 at 17:58, Adam Carter adamcart...@gmail.com wrote: You seem to be using ldap sometimes and ldaps other times in your configs. Suggest you try getting everything working with ldap first, then convert everything to ldaps (to get SSL working) once you have the application layer sorted.
Re: [gentoo-user] ldap client authentication
On 3/11/2010, at 4:25pm, James wrote: ... I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress. Here's the rundown of how things are configured (fairly straight forward): ... == auth.log == Nov 3 06:26:03 s_dg...@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com You've shown us all about your LDAP configuration, but nothing about your PAM configuration, or whether sshd or IMAP are configured to use PAM. Stroller.
Re: [gentoo-user] ldap client authentication
Straight from the Gentoo + LDAP page. # pam ldap stuff authsufficient pam_ldap.so use_first_pass account sufficient pam_ldap.so passwordsufficient pam_ldap.so use_authtok use_first_pass session optionalpam_ldap.so -james On Wed, Nov 3, 2010 at 15:13, Stroller strol...@stellar.eclipse.co.ukwrote: On 3/11/2010, at 4:25pm, James wrote: ... I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress. Here's the rundown of how things are configured (fairly straight forward): ... == auth.log == Nov 3 06:26:03 s_dg...@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com You've shown us all about your LDAP configuration, but nothing about your PAM configuration, or whether sshd or IMAP are configured to use PAM. Stroller.