LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-21-2009, 02:43 PM   #1
brandon@rhiamet.com
LQ Newbie
 
Registered: Jan 2009
Posts: 20

Rep: Reputation: 0
pam ldap authentication


I've been reading everything I can find on how to get this working with no luck. I am trying to get pam authentication to use ldap and with su and ssh the following errors are logged to /var/log/messages:

Jan 21 13:30:29 foo.bar.com sshd[9562]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 21 13:31:10 foo.bar.com su: pam_ldap: ldap_simple_bind Can't contact LDAP server

If I do an ldapsearch from this same machine it works:

ldapsearch -x -b "dc=bar,dc=com" cn=brandon
...

I'm not clear on if /etc/pam_ldap.conf needs to exist or if /etc/ldap.conf is sufficient for pam. This is on a

# cat /etc/fedora-release
Fedora Core release 5 (Bordeaux)

machine. Thanks for any help.

Brandon
 
Old 01-21-2009, 05:54 PM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by brandon@rhiamet.com View Post
I've been reading everything...<SNIP>...Thanks for any help. Brandon
This isn't a direct help since it's debian and not fedora, but I do know all the steps are included and that was the problem I ran into when I was attempting to implement this. YMMV but this DOES include everything necessary to get ldap pam and libnss stuff to work if you have the right packages installed.

Code:
Replace /etc/ldap/slapd.conf with the following:

—

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/misc.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        0
modulepath      /usr/lib/ldap
moduleload      back_bdb
sizelimit 500
tool-threads 1
backend         bdb
checkpoint 512 30

database        bdb
suffix          “dc=fakedom,dc=dom”
rootdn          “cn=admin,dc=fakedom,dc=dom”
rootpw          (run slappasswd and paste output here)
directory       “/var/lib/ldap”
lastmod         on

access to attrs=userPassword,shadowLastChange
by dn=”cn=admin,dc=fakedom,dc=dom” write
by anonymous auth
by self write
by * none

access to *
by dn=”cn=admin,dc=fakedom,dc=dom” write
by * read
—

Replace /etc/nsswitch.conf with the following:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference’ and `info’ packages installed, try:
# `info libc “Name Service Switch”‘ for information about this file.

passwd:         compat ldap
group:          compat
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

—

Replace /etc/libnss-ldap.conf with the following:

—

base dc=fakedom,dc=dom
uri ldap://127.0.0.1
ldap_version 3
rootbinddn cn=admin,dc=fakedom,dc=dom
—

Replace  /etc/pam_ldap.conf with the following:

—

host 127.0.0.1
base dc=fakedom,dc=dom
uri ldap://127.0.0.1
ldap_version 3
rootbinddn cn=admin,dc=fakedom,dc=dom
pam_password exop
—

Replace /etc/ldap/ldap.conf with the following:

—

BASE    dc=fakedome, dc=dom
URI     ldap://127.0.0.1
—

Create a base.ldif file in /tmp to import into the directory to test against:

—

dn: dc=fakedom,dc=dom
objectClass: top
objectClass: dcObject
objectClass: organization
o: fakedom.dom
dc: fakedom

dn: cn=admin,dc=fakedom,dc=dom
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: (Paste output from slappasswd)

dn: ou=People,dc=fakedom,dc=dom
ou: People
objectClass: organizationalUnit
objectClass: top

dn: uid=testy,ou=People,dc=fakedom,dc=dom
uid: testy
cn: testy
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/testy
gecos: Testy,,,,
userPassword: (Paste output from slappasswd)

—

#/etc/init.d/slapd restart

#ldapadd -x -W -D ‘cn=admin,dc=fakedom,dc=dom’ -f /tmp/base.ldif  (enter password when prompted)

# /etc/init.d/slapd restart

# getent passwd | grep testy (should return testy’s entry)

# /etc/init.d/openbsd-inetd start

# telnet localhost and use testy’s login credentials, if it works you’re set... if not reread and try again.
 
Old 01-22-2009, 08:58 AM   #3
brandon@rhiamet.com
LQ Newbie
 
Registered: Jan 2009
Posts: 20

Original Poster
Rep: Reputation: 0
Thanks for the reply. I'll give your suggestions a try.

Something I failed to mention which is probably very relevant is that I can't get local accounts in /etc/passwd to work either. Even with local accounts, I get the same error in /var/log/messages about not being to contact the LDAP server. Maybe this means something more fundamental is wrong.

Brandon
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM LDAP authentication password policy questions codeape Linux - Security 0 08-26-2008 03:10 AM
vsftpd using Ldap+pam authentication issue PhillipHuang Linux - Software 1 09-26-2006 11:43 PM
pam ldap limit authentication hassan2 Suse/Novell 0 08-01-2005 07:03 PM
pam and ldap authentication problem abrb220 Linux - Networking 2 07-31-2005 04:49 PM
Squid PAM authentication and LDAP redmat Linux - Newbie 1 09-03-2004 08:22 PM


All times are GMT -5. The time now is 08:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration