Unable to login with pam_ldap
Hello!
I am trying to use pam_ldap for login on my Solaris systems. But even after hours of reading the documentation I can not figure out what is wrong. Steps I did:
- Installing Sun Java System Directory Server
- Configuring Password Policy
- Added a user to ou=people
- Changed pam.conf at the client to http://docs.sun.com/app/docs/doc/816-4556/6maort2tb?a=view
- Initiated the client with "ldapclient manual -a domainName=$DOMAIN -a defaultSearchBase=$SEARCHBASE -a serviceAuthenticationMethod=pam_ldap:simple $SERVER_IP"
With ldapsearch on the client I am able to see the user entry. But logging in does not work. Here the output of syslog:
[...]
[auth.debug] PAM[21582]: load_modules(8a158, pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1
[auth.debug] PAM[21582]: load_function: successful load of pam_sm_authenticate
[auth.debug] PAM[21582]: pam_get_user(8a158, ff253d00, NULL)
[auth.debug] debug1: got 1 responses
[auth.debug] debug1: PAM conv function returns PAM_SUCCESS
[auth.debug] PAM[21582]: pam_set_item(8a158:authtok)
last message repeated 1 time
[auth.debug] PAM[21582]: pam_authenticate(8a158, 0): error Authentication failed
[...]
The access log of the directory server:
conn=34 op=2 msgId=3 - SRCH base="ou=people,$SEARCHBASE" scope=1 filter="(&(objectClass=SolarisUserAttr)(uid=$USERNAME))" attrs="uid solarisuserqualifier solarisattrreserved1 solarisattrreserved2 solarisattrkeyvalue"
conn=34 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0
conn=73 op=-1 msgId=-1 - fd=59 slot=59 LDAP connection from $CLIENT_IP to $SERVER_IP
conn=73 op=0 msgId=1 - SRCH base="ou=people,$SEARCHBASE" scope=1 filter="(&(objectClass=posixAccount)(uid=$USERNAME))" attrs=ALL
conn=73 op=0 msgId=1 - RESULT err=0 tag=101 nentries=1 etime=0
conn=73 op=1 msgId=2 - UNBIND
conn=73 op=1 msgId=-1 - closing - U1
conn=74 op=-1 msgId=-1 - fd=66 slot=66 LDAP connection from $CLIENT_IP to $SERVER_IP
conn=73 op=-1 msgId=-1 - closed.
conn=74 op=0 msgId=1 - BIND dn="uid=$USERNAME,ou=People,$SEARCHBASE" method=128 version=3
conn=74 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=$USERNAME,ou=people,$SEARCHBASE"
conn=74 op=1 msgId=2 - UNBIND
conn=74 op=1 msgId=-1 - closing - U1
conn=74 op=-1 msgId=-1 - closed.
conn=75 op=-1 msgId=-1 - fd=59 slot=59 LDAP connection from $CLIENT_IP to $SERVER_IP
conn=75 op=0 msgId=1 - SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
conn=75 op=0 msgId=1 - RESULT err=0 tag=101 nentries=1 etime=0
conn=75 op=1 msgId=2 - UNBIND
conn=75 op=1 msgId=-1 - closing - U1
conn=75 op=-1 msgId=-1 - closed.
Now I do not know what to try next. Any hints?
TIA
Stephan
[2917 byte] By [
windy81] at [2007-11-26 9:39:03]
# 1
you shouldn't need to change pam.conf, the default one that somes on the system will work fine.
did you setup a proxyagent for accessing the userPassword attribute, this is taken care of during idsconfig? if you did unless you bind as that user you will not be able to login as that user. the "ldapclient manual" you've supplied doesn't show any "-a proxyDn=" or "-a proxyPassword=" values. try setting those if you haven't.
when you do your ldapsearch if you can't see userPassword then you must bind as a proxyagent.
try "ldapsearch -h host -D cn=proxyagent,ou=profile,dc=xyz,dc=com -w proxy_pass -b ou=people,dc=xyz,dc=com uid=ldap_user"
# 2
> did you setup a proxyagent for accessing the
> userPassword attribute, this is taken care of during
> idsconfig? if you did unless you bind as that user
> you will not be able to login as that user. the
> "ldapclient manual" you've supplied doesn't show any
> "-a proxyDn=" or "-a proxyPassword=" values. try
> setting those if you haven't.
I did a reconfigure with idsconfig now and added your mentioned options to the ldapclient-command. Also changed serviceAuthenticationMethod to pam_ldap:simple. The config is now:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=$DOMAINS
NS_LDAP_BINDPASSWD= $PASSWORD
NS_LDAP_SERVERS= $SERVERIP
NS_LDAP_SEARCH_BASEDN= dc=$DOMAINS
NS_LDAP_CACHETTL= 0
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
> when you do your ldapsearch if you can't see
> userPassword then you must bind as a proxyagent.
>
> try "ldapsearch -h host -D
> cn=proxyagent,ou=profile,dc=xyz,dc=com -w proxy_pass
> -b ou=people,dc=xyz,dc=com uid=ldap_user"
This works fine, so does ldaplist. But the authlog still produces errors:
pam_authenticate(8a158, 0): error Authentication failed
PAM[20279]: pam_set_item(8a158:authtok)
sshd[20279]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
Here the output of the access log while searching with ldapsearch:
SRCH base="ou=people,dc=$DOMAINS" scope=1 filter="(&(objectClass=posixAccount)(uid=$USERNAME))" attrs=ALL
RESULT err=0 tag=101 nentries=1 etime=0
But when trying to authorize it gives me this:
BIND dn="uid=$USERNAME,ou=People, dc=$DOMAINS" method=128 version=3
RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=$USERNAME,ou=people,dc=$DOMAINS"
# 3
Try setting these in sshd_config and restart sshd.
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
You may also look at:
http://web.singnet.com.sg/~garyttt/
Y. Installing and Configuring iPlanet Directory Server for Solaris9
and
4. Installing and Configuring OpenSSH with pam_ldap for Solaris9
Gary
# 4
> Try setting these in sshd_config and restart sshd.
>
> PasswordAuthentication yes
> ChallengeResponseAuthentication yes
> UsePAM yes
Those settings do not work with the default sshd of Solaris 10.
> You may also look at:
> http://web.singnet.com.sg/~garyttt/
Those are interesting documents. But now I am a little bit confused. Instead of configuring a "Service Authentication Method" for pam_ldap with idsconfig, they suggest creating SSD's. I tried that, but reconfiguration of the server failed:
ERROR: update of NisDomainObject in dc=$DOMAIND failed.
# 5
If you are using the oiginal SUN SSH which is pre-3.61.
Note: in older version (pre-3.6.1) of OpenSSH Server, instead of 揢sePAM yes? the parameter is:
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
PAMAuthenticationViaKbdInt yes.
If you are using OpenLDAP 2.2.XX, you may need the result.c patch, otherwise do not run "ldapclient" init, create the required ldap_client_file and ldap_client_cred manually.
Gary
# 6
Sorry the OpenLDAP stuff does not apply to you since you are on SUN DS.You got to provide more details.Gary
# 7
If you enable password policy, pls use this version of /etc/pam.conf.
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
Example pam_conf file for pam_ldap Configured for Account Management
Read also:
http://docs.sun.com/app/docs/doc/816-4556/6maort2st?a=view#clientsetup-89
If you are using proxy credentials, you may need to perform the following adjustment to the ACI of the root DN (replace it with your LDAP domain specific)
===
In SUN ONE Console, open Directory Server, select defaultSearchBase, i.e. dc=example,dc=com and edit one of the listed ACIs, which is usually named 揕DAP_Naming_Services_proxy_password_read?
Change it.
From:
(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,read,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
To:
(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
===
Gary
# 8
I suggest when you run idsconfig, choose "proxy" credential level and "simple" auth method, rather than the defaults, also remember to use "CRYPT" password storage scheme, and run the vlvindex creation after idsconfig.
Do you want to store passwords in "crypt" format (y/n/h)? [n] y
- Added a user to ou=people
This is not enough, you got to check the "posix" option (posixAccount),enter posix uid and gid, AS WELL AS add the "shadowAccount" object class to this user entry in LDAP DIT, and define SSD for "shadow" service to be the same as "passwd" service.
Gary
# 9
> This is not enough, you got to check the "posix"
> option (posixAccount),enter posix uid and gid, AS
> WELL AS add the "shadowAccount" object class to this
> user entry in LDAP DIT, and define SSD for "shadow"
> service to be the same as "passwd" service.
Thanks for your help, now it works. I did not need the SSD, but an ACL which allowed the client to find the nisDomainObject.
