[olug] pam_ldap

Daniel Pfile pfiled at marietta.edu
Sun Aug 20 23:58:27 UTC 2000


Ok, here's my problem.

I have nss-ldap and pam_ldap installed on a debian 2.2 system. The user
I'm trying to auth as is in the ldap db. I'll just snip a few
configs/logs/sessions to show you what's going on.

klaruz at eb:~$ telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Debian GNU/Linux 2.2 eb.suiteone.net
eb login: bob
Password:      <-- correct password entered
Connection closed by foreign host.

there were no entries in auth.log for that, even though debug is set in
the pam config for the module. here's the output in syslog for telnet and
ldap with ldap debug set to 256.

Aug 20 18:34:24 eb in.telnetd[24642]: connect from localhost
Aug 20 18:34:26 eb slapd[3120]: conn=146 fd=15 connection from localhost
(127.0.0.1) accepted. 
Aug 20 18:34:26 eb slapd[24644]: conn=146 op=0 BIND
dn="CN=ADMIN,OU=PEOPLE,DC=SUITEONE,DC=NET" method=128 
Aug 20 18:34:26 eb slapd[24644]: conn=146 op=0 RESULT err=0 tag=97
nentries=0 
Aug 20 18:34:26 eb slapd[24645]: conn=146 op=1 SRCH
base="DC=SUITEONE,DC=NET" scope=2 filter="(uid=BOB)" 
Aug 20 18:34:26 eb slapd[3120]: conn=147 fd=16 connection from localhost
(127.0.0.1) accepted. 
Aug 20 18:34:26 eb slapd[3120]: conn=146 op=-1 fd=15 closed errno=0 
Aug 20 18:34:26 eb slapd[24646]: conn=146 op=2 UNBIND 
Aug 20 18:34:26 eb slapd[24645]: conn=146 op=1 RESULT err=0 tag=101
nentries=1 
Aug 20 18:34:26 eb slapd[24647]: conn=147 op=0 BIND
dn="CN=BOB,OU=USERS,DC=ACME,DC=SUITEONE,DC=NET" method=128 
Aug 20 18:34:26 eb slapd[24647]: conn=147 op=0 RESULT err=0 tag=97
nentries=0 
Aug 20 18:34:26 eb slapd[3120]: conn=148 fd=15 connection from localhost
(127.0.0.1) accepted. 
Aug 20 18:34:26 eb slapd[3120]: conn=147 op=-1 fd=16 closed errno=0 
Aug 20 18:34:26 eb slapd[24648]: conn=147 op=1 UNBIND 
Aug 20 18:34:26 eb slapd[24649]: conn=148 op=0 BIND
dn="CN=ADMIN,OU=PEOPLE,DC=SUITEONE,DC=NET" method=128 
Aug 20 18:34:26 eb slapd[3120]: conn=148 op=-1 fd=15 closed errno=0 
Aug 20 18:34:26 eb slapd[24649]: conn=148 op=0 RESULT err=0 tag=97
nentries=0 

you can see where connection 146 binds first, looks for bob, and finds
him, then disconnects. connection 147 binds as bob, then disconnects. this
is the rebind in order to check bob's pass by loging into the ldap db as
bob.

----

here's when i enter the wrong pass.

klaruz at eb:~$ telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Debian GNU/Linux 2.2 eb.suiteone.net
eb login: bob
Password: 
Login incorrect

eb login: 

here's the syslog stuff:

Aug 20 18:39:04 eb in.telnetd[24651]: connect from localhost
Aug 20 18:39:06 eb slapd[3120]: conn=149 fd=15 connection from localhost
(127.0.0.1) accepted. 
Aug 20 18:39:06 eb slapd[24653]: conn=149 op=0 BIND
dn="CN=ADMIN,OU=PEOPLE,DC=SUITEONE,DC=NET" method=128 
Aug 20 18:39:06 eb slapd[24653]: conn=149 op=0 RESULT err=0 tag=97
nentries=0 
Aug 20 18:39:06 eb slapd[24654]: conn=149 op=1 SRCH
base="DC=SUITEONE,DC=NET" scope=2 filter="(uid=BOB)" 
Aug 20 18:39:06 eb slapd[3120]: conn=150 fd=16 connection from localhost
(127.0.0.1) accepted. 
Aug 20 18:39:06 eb slapd[3120]: conn=149 op=-1 fd=15 closed errno=0 
Aug 20 18:39:06 eb slapd[24654]: conn=149 op=1 RESULT err=0 tag=101
nentries=1 
Aug 20 18:39:06 eb slapd[24655]: conn=149 op=2 UNBIND 
Aug 20 18:39:06 eb slapd[24656]: conn=150 op=0 BIND
dn="CN=BOB,OU=USERS,DC=ACME,DC=SUITEONE,DC=NET" method=128 
Aug 20 18:39:06 eb slapd[24656]: conn=150 op=0 RESULT err=49 tag=97
nentries=0 
Aug 20 18:39:06 eb slapd[3120]: conn=151 fd=15 connection from localhost
(127.0.0.1) accepted. 
Aug 20 18:39:06 eb slapd[3120]: conn=150 op=-1 fd=16 closed errno=0 
Aug 20 18:39:06 eb slapd[24657]: conn=150 op=1 UNBIND 
Aug 20 18:39:06 eb slapd[24658]: conn=151 op=0 BIND
dn="CN=ADMIN,OU=PEOPLE,DC=SUITEONE,DC=NET" method=128 
Aug 20 18:39:06 eb slapd[24658]: conn=151 op=0 RESULT err=0 tag=97
nentries=0 

this time, connection 149 finds bob, rebinds to check the pass, and gets
error 49 (instead of 0) because the pass is wrong. which is how it should
work. i'm then prompted again for a login/pass as you can see above.

this time of course, i get an error in auth.log because of the wrong pass.

Aug 20 18:41:54 eb login[24662]: pam_ldap: error trying to bind as user
"cn=Bob, ou=users, dc=acme, dc=suiteone,dc=net" (Invalid credentials)
Aug 20 18:41:54 eb PAM_unix[24662]: check pass; user unknown
Aug 20 18:41:54 eb PAM_unix[24662]: authentication failure; (uid=0) ->
**unknown** for login service
Aug 20 18:41:56 eb login[24662]: FAILED LOGIN (1) on `pts/5' from
`localhost' FOR `UNKNOWN', Authentication service cannot retrieve
authentication info.

---

here is the ldif from bob's entry:

klaruz at eb:~$ ldapsearch uid=bob
cn=Bob, ou=users, dc=acme, dc=suiteone,dc=net
telephonenumber=415-777-1212
sn=Jones
cn=Bob
creatorsname=cn=admin, ou=People, dc=suiteone, dc=net
createtimestamp=20000716103146Z
objectclass=person
objectclass=top
objectclass=qmailUser
objectclass=inetOrgPerson
objectclass=posixAccount
mail=bob at suiteone.net
mailmessagestore=Maildir/
loginshell=/bin/bash
uid=bob
uidnumber=1000
gidnumber=1000
modifytimestamp=20000804182910Z
modifiersname=cn=admin, ou=People, dc=suiteone, dc=net
homedirectory=/home/klaruz/users/bob

the password is omited of course, because i did the search as anon, and
anon can't see passwords. i have strict checking on, so every objcect
class that's in there has the proper entries for it. including the
posixAccount class.

---

here's my slapd.conf:

# This is the main ldapd configuration file.

# Schema and objectClass definitions
include         /etc/openldap/slapd.at.conf
include         /etc/openldap/slapd.oc.conf

# Schema for supporting Netscape Roaming
include         /etc/openldap/netscape_roaming.at.conf
include         /etc/openldap/netscape_roaming.oc.conf

# Schema for supporting Debian Package Directory entries
#include                /etc/openldap/debian.at.conf
#include                /etc/openldap/debian.oc.conf

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where clients are refered to if no
# match is found locally
#referral       ldap://ldap.four11.com

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd.pid

# Read slapd.conf(5) for possible values
loglevel        256

#######################################################################
# ldbm database definitions
#######################################################################

# The backend type, ldbm, is the default standard
database        ldbm

# The base of your directory
suffix          "dc=suiteone,dc=net"

# Where the database file are physically stored
directory       "/var/lib/openldap"

# Save the time that the entry gets modified
lastmod on

# By default, only read access is allowed
defaultaccess   read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
access to dn=".*,ou=Roaming,dc=suiteone,dc=net"
        by dnattr=owner write

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attribute=userPassword
        by dn="cn=admin,ou=People,dc=suiteone,dc=net" write
        by self write
        by * none

# The admin dn has full write access
access to * by dn="cn=admin,ou=People,dc=suiteone,dc=net" write

# End of ldapd configuration file


pretty standard stuff there, not sure if there's an error or not though.

---

here's /etc/pam_ldap.conf:

# $Id: ldap.conf,v 1.8 1999/06/06 12:24:37 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# To contact the author, mail lukeh at padl.com.
#

# Your LDAP server.
host 127.0.0.1

# The distinguished name of the search base.
base dc=suiteone,dc=net

# Use the V3 protocol to optimize searches
ldap_version 2

# NOTE: If you use these, be sure to chmod 600 this file
# for security reasons
#
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=manager,dc=example,dc=net

binddn cn=admin,ou=People,dc=suiteone,dc=net

#
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

bindpw xxxxxxxxxxx

#Scope to search
scope sub

# Filter to AND with uid=%s
#pam_filter objectclass=inetOrgPerson

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=net

# Group member attribute
#pam_member_attribute uniquemember

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_crypt local


again, almost exactly what the 'docs'  say to do...

---

since i'm only trying to get telnet (login) working right now, i'll show
you that config file for pam.

#
# The PAM configuration file for the Shadow `login' service
#
# NOTE: If you use a session module (such as kerberos or NIS+)
# that retains persistent credentials (like key caches, etc), you
# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
# in order for login to stay around until after logout to call
# pam_close_session() and cleanup.
#


# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       required   pam_nologin.so

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
#auth       required   pam_env.so

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.

auth       sufficient   pam_ldap.so debug
auth       required   pam_unix_auth.so nullok try_first_pass


# Standard Un*x account and session
account    sufficient pam_ldap.so debug
#account    required   pam_unix.so debug
account    required   pam_unix_acct.so

#session    sufficient pam_ldap.so debug
session    required   pam_unix.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
# can also enable a MAIL environment variable from here, but it
# is better handled by /etc/login.defs, since userdel also uses
# it to make sure that removing a user, also removes their mail
# spool file.
session    optional   pam_mail.so standard noenv

# The standard Unix authentication modules, used with NIS (man
nsswitch) as
# well as normal /etc/passwd and /etc/shadow entries. For the login
service,
# this is only used when the password expires and must be changed, so make
# sure this one and the one in /etc/pam.d/passwd are the same. The
"nullok"
# option allows users to change an empty password, else empty passwords
are
# treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords the same way
that
# `MD5_CRYPT_ENAB' would do under login.defs).
# 
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

#password   required   pam_ldap.so nullok obscure min=4 max=8 md5
password   required   pam_unix.so nullok obscure min=4 max=8 md5

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5


once again, almost the same as the examples.

---

sooooo, anybody think that have any idea whatsoever as to what's causing
my problem? It's pretty clear it's checking the pass right if it boots me
as soon as i log in with the right pass, and asks again if i give it the
wrong pass. is there something i'm missing in the ldap entry that's
required? i tried making a group in ldap, and making the home dir owned by
that group's id, same problem.

i've been banging my head against the wall for a while now on this one,
and help would be great.

if you need any information besides what i've provided, let me know.

| Daniel Pfile        | I'm too cool for a signature |
| pfiled at marietta.edu |                              |


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net



More information about the OLUG mailing list