LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   pam ldap authentication (https://www.linuxquestions.org/questions/linux-security-4/pam-ldap-authentication-698935/)

brandon@rhiamet.com 01-21-2009 01:43 PM
pam ldap authentication
 
I've been reading everything I can find on how to get this working with no luck. I am trying to get pam authentication to use ldap and with su and ssh the following errors are logged to /var/log/messages:

Jan 21 13:30:29 foo.bar.com sshd[9562]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 21 13:31:10 foo.bar.com su: pam_ldap: ldap_simple_bind Can't contact LDAP server

If I do an ldapsearch from this same machine it works:

ldapsearch -x -b "dc=bar,dc=com" cn=brandon
...

I'm not clear on if /etc/pam_ldap.conf needs to exist or if /etc/ldap.conf is sufficient for pam. This is on a

# cat /etc/fedora-release
Fedora Core release 5 (Bordeaux)

machine. Thanks for any help.

Brandon

rweaver 01-21-2009 04:54 PM
Quote:
Originally Posted by brandon@rhiamet.com (Post 3416469)
I've been reading everything...<SNIP>...Thanks for any help. Brandon
This isn't a direct help since it's debian and not fedora, but I do know all the steps are included and that was the problem I ran into when I was attempting to implement this. YMMV but this DOES include everything necessary to get ldap pam and libnss stuff to work if you have the right packages installed.

Code:
Replace /etc/ldap/slapd.conf with the following:



include        /etc/ldap/schema/core.schema
include        /etc/ldap/schema/cosine.schema
include        /etc/ldap/schema/nis.schema
include        /etc/ldap/schema/inetorgperson.schema
include        /etc/ldap/schema/misc.schema

pidfile        /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        0
modulepath      /usr/lib/ldap
moduleload      back_bdb
sizelimit 500
tool-threads 1
backend        bdb
checkpoint 512 30

database        bdb
suffix          “dc=fakedom,dc=dom”
rootdn          “cn=admin,dc=fakedom,dc=dom”
rootpw          (run slappasswd and paste output here)
directory      “/var/lib/ldap”
lastmod        on

access to attrs=userPassword,shadowLastChange
by dn=”cn=admin,dc=fakedom,dc=dom” write
by anonymous auth
by self write
by * none

access to *
by dn=”cn=admin,dc=fakedom,dc=dom” write
by * read


Replace /etc/nsswitch.conf with the following:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference’ and `info’ packages installed, try:
# `info libc “Name Service Switch”‘ for information about this file.

passwd:        compat ldap
group:          compat
shadow:        compat ldap

hosts:          files dns
networks:      files

protocols:      db files
services:      db files
ethers:        db files
rpc:            db files

netgroup:      nis



Replace /etc/libnss-ldap.conf with the following:



base dc=fakedom,dc=dom
uri ldap://127.0.0.1
ldap_version 3
rootbinddn cn=admin,dc=fakedom,dc=dom


Replace  /etc/pam_ldap.conf with the following:



host 127.0.0.1
base dc=fakedom,dc=dom
uri ldap://127.0.0.1
ldap_version 3
rootbinddn cn=admin,dc=fakedom,dc=dom
pam_password exop


Replace /etc/ldap/ldap.conf with the following:



BASE    dc=fakedome, dc=dom
URI    ldap://127.0.0.1


Create a base.ldif file in /tmp to import into the directory to test against:



dn: dc=fakedom,dc=dom
objectClass: top
objectClass: dcObject
objectClass: organization
o: fakedom.dom
dc: fakedom

dn: cn=admin,dc=fakedom,dc=dom
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: (Paste output from slappasswd)

dn: ou=People,dc=fakedom,dc=dom
ou: People
objectClass: organizationalUnit
objectClass: top

dn: uid=testy,ou=People,dc=fakedom,dc=dom
uid: testy
cn: testy
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/testy
gecos: Testy,,,,
userPassword: (Paste output from slappasswd)



#/etc/init.d/slapd restart

#ldapadd -x -W -D ‘cn=admin,dc=fakedom,dc=dom’ -f /tmp/base.ldif  (enter password when prompted)

# /etc/init.d/slapd restart

# getent passwd | grep testy (should return testy’s entry)

# /etc/init.d/openbsd-inetd start

# telnet localhost and use testy’s login credentials, if it works you’re set... if not reread and try again.

brandon@rhiamet.com 01-22-2009 07:58 AM
Thanks for the reply. I'll give your suggestions a try.

Something I failed to mention which is probably very relevant is that I can't get local accounts in /etc/passwd to work either. Even with local accounts, I get the same error in /var/log/messages about not being to contact the LDAP server. Maybe this means something more fundamental is wrong.

Brandon


All times are GMT -5. The time now is 12:46 PM.