LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Ubuntu 8.04 / LDAP / NSS / PAM - not sharing shadow password hence not authenticating (https://www.linuxquestions.org/questions/linux-server-73/ubuntu-8-04-ldap-nss-pam-not-sharing-shadow-password-hence-not-authenticating-671664/)

fuzzyworm 09-22-2008 04:59 PM
Ubuntu 8.04 / LDAP / NSS / PAM - not sharing shadow password hence not authenticating
 
Dear all,

I'm trying to set up a Single Sign-On server, with all sorts of fancy bells and whistles, however, I'm having a spot of bother getting the LDAP working.

I have followed the Ubuntu tutorials:
https://help.ubuntu.com/community/OpenLDAPServer
https://help.ubuntu.com/community/LD...Authentication

I have succeeded in getting LDAP installed, and populated with some sample data (Lionel Porcheron is from the sample in one of the tutorials, in case anyone's curious):
Code:
dn: dc=sjsscr
objectClass: top
objectClass: dcObject
objectClass: organization
o: sjsscr
dc: sjsscr
structuralObjectClass: organization
entryUUID: d7ae7f30-1ae6-102d-8447-15d4f12ff726
creatorsName:
createTimestamp: 20080919223419Z
entryCSN: 20080919223419.031498Z#000000#000#000000
modifiersName:
modifyTimestamp: 20080919223419Z

dn: cn=admin,dc=sjsscr
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <HERE IS A HASH>
structuralObjectClass: organizationalRole
entryUUID: d7af6026-1ae6-102d-8448-15d4f12ff726
creatorsName:
createTimestamp: 20080919223419Z
entryCSN: 20080919223419.037426Z#000000#000#000000
modifiersName:
modifyTimestamp: 20080919223419Z

dn: ou=people,dc=sjsscr
objectClass: organizationalUnit
ou: people
structuralObjectClass: organizationalUnit
entryUUID: 23b1d436-1ae7-102d-9940-e5554e7aba35
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080919223626Z
entryCSN: 20080919223626.560366Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080919223626Z

dn: ou=groups,dc=sjsscr
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit
entryUUID: 23b267d4-1ae7-102d-9941-e5554e7aba35
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080919223626Z
entryCSN: 20080919223626.564146Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080919223626Z

dn: uid=lionel,ou=people,dc=sjsscr
l: Toulouse
o: Example
uidNumber: 1050
cn: Lionel Porcheron
mobile: +33 (0)6 xx xx xx xx
title: System Administrator
loginShell: /bin/bash
gecos: Lionel Porcheron
uid: lionel
initials: LP
homePhone: +33 (0)5 xx xx xx xx
sn: Porcheron
gidNumber: 1050
homeDirectory: /home/lionel
postalCode: 31000
displayName: Lionel Porcheron
givenName: Lionel
mail: lionel.porcheron@example.com
structuralObjectClass: inetOrgPerson
entryUUID: 76739cd8-1b49-102d-9a70-4db677d54d65
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080920102016Z
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
userPassword:: <HERE IS A HASH>
entryCSN: 20080920104638.674650Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080920104638Z

dn: cn=lionel,ou=groups,dc=sjsscr
gidNumber: 1050
cn: lionel
objectClass: posixGroup
memberUid: lionel
structuralObjectClass: posixGroup
entryUUID: 7674fea2-1b49-102d-9a71-4db677d54d65
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080920102016Z
entryCSN: 20080920102016.092077Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080920102016Z

dn: cn=Joe B. Bloggs,ou=people,dc=sjsscr
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
displayName: Joe B. Bloggs
uidNumber: 1051
cn: Joe B. Bloggs
initials: B
loginShell: /bin/bash
gecos: Joe B. Bloggs
uid: jbloggs
sn: Bloggs
userPassword:: <HERE IS A HASH>
gidNumber: 1050
homeDirectory: /home/jbloggs
givenName: Joe
structuralObjectClass: inetOrgPerson
entryUUID: ba00e914-1d0c-102d-9677-459d07d375fb
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080922161032Z
entryCSN: 20080922161032.441420Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080922161032Z
I can then access this data with:
Code:
# ldapsearch -xLLL -b "dc=sjsscr" uid=lionel sn givenName cn
dn: uid=lionel,ou=people,dc=sjsscr
cn: Lionel Porcheron
sn: Porcheron
givenName: Lionel
I can even switch user from root to Lionel or Joe Bloggs, however, when I try to start a new shell, either SSH or on a TTY, it won't authenticate.

I did getent:
Code:
# getent shadow lionel
lionel:*:::::::0
# getent passwd lionel
lionel:x:1050:1050:Lionel Porcheron:/home/lionel:/bin/bash
As you can see, it has no problem getting the passwd details, but it's not getting the Shadow password. I presume that this is why the thing won't authenticate.

I have included my setup details below, if anyone has had any luck getting this combination working, I would be most grateful for some pointers. If you need more info. re. my setup, please let me know.

nsswitch.conf:
Code:
# /etc/nsswitch.conf

passwd: compat ldap
group: compat ldap
shadow: compat ldap

# Note I have tried 'compat' and 'files' for this, it seemed to make no difference.

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:      files

protocols:      db files
services:      db files
ethers:        db files
rpc:            db files

netgroup:
pam.d/common-account:
Code:
account    sufficient  pam_unix.so
account    sufficient  pam_ldap.so
account    required    pam_deny.so
pam.d/common-auth:
Code:
auth      required    pam_env.so
auth      sufficient  pam_unix.so likeauth nullok
auth      sufficient  pam_ldap.so use_first_pass
auth      required    pam_deny.so
pam.d/common-password:
Code:
password  sufficient  pam_unix.so nullok md5 shadow use_authtok
password  sufficient  pam_ldap.so use_first_pass
password  required    pam_deny.so
pam.d/common-session:
Code:
session    required    pam_limits.so
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    required    pam_unix.so
session    optional    pam_ldap.so
ldap/slapd.conf:
Code:
include        /etc/ldap/schema/core.schema
include        /etc/ldap/schema/cosine.schema
include        /etc/ldap/schema/nis.schema
include        /etc/ldap/schema/inetorgperson.schema

pidfile        /var/run/slapd/slapd.pid

argsfile        /var/run/slapd/slapd.args

loglevel        none

modulepath      /usr/lib/ldap
moduleload      back_hdb

sizelimit 500

tool-threads 1

backend        hdb


database        hdb

suffix          "dc=sjsscr"

rootdn          "cn=admin,dc=sjsscr"
rootpw          {SSHA}<HERE IS A HASH>

directory      "/var/lib/ldap"


dbconfig set_cachesize 0 2097152 0


dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index          objectClass eq

lastmod        on

checkpoint      512 30


access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=sjsscr" write
        by anonymous auth
        by self write
        by * read

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=sjsscr" write
        by * read
ldap.conf:
Code:
base dc=sjsscr

uri ldapi:///127.0.0.1

ldap_version 3

rootbinddn cn=admin,dc=sjsscr

pam_password md5

nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,dnsmasq,games,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,openldap,polkituser,proxy,root,sshd,statd,sync,sys,syslog,uucp,www-data
ldap/ldap.conf:
Code:
BASE          dc=sjsscr
URI            ldap://127.0.0.1
#TS_REQCRT      allow

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

cisc0ninja 10-08-2008 05:14 AM
i was having the exact same issue
 
i have not fixed it yet, but i believe i just found out how!
i will implement this change once i get off work!

basicly if you can do a getent passwd username
and it shows up
but doesnt show up with the shadow password when you do a getent shadow username

you need to do a slappasswd -h (then the md5 password for the user which is located in your /etc/shadow file)

then the output encrypted password it gives you, you have to copy that and put it in an ldif for that user!

as shown from the example:
dn: cn=admin,dc=example
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP Administrator user
userPassword: {MD5}XXXXXXXXXXXXXXXXXXXXXX== <---(this is where you paste)

once that is added in it SHOULD work
i'll get back to you if it works for me or not, but i just thought of this and now need to go try myself.

-cisc0ninja

cisc0ninja 10-08-2008 05:15 AM
the website/s i used
 
i used the web site: http://www.jukie.net/~bart/ldap/ldap...ian/index.html

which helped me

check out the part that shows the example ldif config of:
http://www.jukie.net/~bart/ldap/ldap...mple-base.ldif

-cisc0ninja

fuzzyworm 10-09-2008 04:51 PM
Thanks for that, I had a quick look at the site, and I'll try it again.

I still haven't got it to work, but I'll let you know if I do.

irishbitte 10-16-2008 09:48 AM
Once you get your admin user up and running, you really should install phpldapadmin on your LDAP server, it will allow you to administer / add / remove groups / users detail, make backups of your LDAP server and so on. Well worth it, and easy to use!

fuzzyworm 01-01-2009 03:29 PM
Thanks everyone, I tried an unistall and reinstall, and somehow it now works, I have no idea what I did differently, but I'm not complaining.

Thanks for the phpldapadmin heads up, I do indeed use that, and it is very good.


All times are GMT -5. The time now is 04:06 PM.