LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-22-2008, 04:59 PM   #1
fuzzyworm
Member
 
Registered: Sep 2003
Location: Stroud, UK
Distribution: Kubuntu, Debian
Posts: 149

Rep: Reputation: 15
Ubuntu 8.04 / LDAP / NSS / PAM - not sharing shadow password hence not authenticating


Dear all,

I'm trying to set up a Single Sign-On server, with all sorts of fancy bells and whistles, however, I'm having a spot of bother getting the LDAP working.

I have followed the Ubuntu tutorials:
https://help.ubuntu.com/community/OpenLDAPServer
https://help.ubuntu.com/community/LD...Authentication

I have succeeded in getting LDAP installed, and populated with some sample data (Lionel Porcheron is from the sample in one of the tutorials, in case anyone's curious):
Code:
dn: dc=sjsscr
objectClass: top
objectClass: dcObject
objectClass: organization
o: sjsscr
dc: sjsscr
structuralObjectClass: organization
entryUUID: d7ae7f30-1ae6-102d-8447-15d4f12ff726
creatorsName:
createTimestamp: 20080919223419Z
entryCSN: 20080919223419.031498Z#000000#000#000000
modifiersName:
modifyTimestamp: 20080919223419Z

dn: cn=admin,dc=sjsscr
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <HERE IS A HASH>
structuralObjectClass: organizationalRole
entryUUID: d7af6026-1ae6-102d-8448-15d4f12ff726
creatorsName:
createTimestamp: 20080919223419Z
entryCSN: 20080919223419.037426Z#000000#000#000000
modifiersName:
modifyTimestamp: 20080919223419Z

dn: ou=people,dc=sjsscr
objectClass: organizationalUnit
ou: people
structuralObjectClass: organizationalUnit
entryUUID: 23b1d436-1ae7-102d-9940-e5554e7aba35
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080919223626Z
entryCSN: 20080919223626.560366Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080919223626Z

dn: ou=groups,dc=sjsscr
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit
entryUUID: 23b267d4-1ae7-102d-9941-e5554e7aba35
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080919223626Z
entryCSN: 20080919223626.564146Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080919223626Z

dn: uid=lionel,ou=people,dc=sjsscr
l: Toulouse
o: Example
uidNumber: 1050
cn: Lionel Porcheron
mobile: +33 (0)6 xx xx xx xx
title: System Administrator
loginShell: /bin/bash
gecos: Lionel Porcheron
uid: lionel
initials: LP
homePhone: +33 (0)5 xx xx xx xx
sn: Porcheron
gidNumber: 1050
homeDirectory: /home/lionel
postalCode: 31000
displayName: Lionel Porcheron
givenName: Lionel
mail: lionel.porcheron@example.com
structuralObjectClass: inetOrgPerson
entryUUID: 76739cd8-1b49-102d-9a70-4db677d54d65
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080920102016Z
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
userPassword:: <HERE IS A HASH>
entryCSN: 20080920104638.674650Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080920104638Z

dn: cn=lionel,ou=groups,dc=sjsscr
gidNumber: 1050
cn: lionel
objectClass: posixGroup
memberUid: lionel
structuralObjectClass: posixGroup
entryUUID: 7674fea2-1b49-102d-9a71-4db677d54d65
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080920102016Z
entryCSN: 20080920102016.092077Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080920102016Z

dn: cn=Joe B. Bloggs,ou=people,dc=sjsscr
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
displayName: Joe B. Bloggs
uidNumber: 1051
cn: Joe B. Bloggs
initials: B
loginShell: /bin/bash
gecos: Joe B. Bloggs
uid: jbloggs
sn: Bloggs
userPassword:: <HERE IS A HASH>
gidNumber: 1050
homeDirectory: /home/jbloggs
givenName: Joe
structuralObjectClass: inetOrgPerson
entryUUID: ba00e914-1d0c-102d-9677-459d07d375fb
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080922161032Z
entryCSN: 20080922161032.441420Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080922161032Z
I can then access this data with:
Code:
# ldapsearch -xLLL -b "dc=sjsscr" uid=lionel sn givenName cn
dn: uid=lionel,ou=people,dc=sjsscr
cn: Lionel Porcheron
sn: Porcheron
givenName: Lionel
I can even switch user from root to Lionel or Joe Bloggs, however, when I try to start a new shell, either SSH or on a TTY, it won't authenticate.

I did getent:
Code:
# getent shadow lionel
lionel:*:::::::0
# getent passwd lionel
lionel:x:1050:1050:Lionel Porcheron:/home/lionel:/bin/bash
As you can see, it has no problem getting the passwd details, but it's not getting the Shadow password. I presume that this is why the thing won't authenticate.

I have included my setup details below, if anyone has had any luck getting this combination working, I would be most grateful for some pointers. If you need more info. re. my setup, please let me know.

nsswitch.conf:
Code:
# /etc/nsswitch.conf

passwd: compat ldap
group: compat ldap
shadow: compat ldap

# Note I have tried 'compat' and 'files' for this, it seemed to make no difference.

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:
pam.d/common-account:
Code:
account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so
account    required     pam_deny.so
pam.d/common-auth:
Code:
auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so
pam.d/common-password:
Code:
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_first_pass
password   required     pam_deny.so
pam.d/common-session:
Code:
session    required     pam_limits.so
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    required     pam_unix.so
session    optional     pam_ldap.so
ldap/slapd.conf:
Code:
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid

argsfile        /var/run/slapd/slapd.args

loglevel        none

modulepath      /usr/lib/ldap
moduleload      back_hdb

sizelimit 500

tool-threads 1

backend         hdb


database        hdb

suffix          "dc=sjsscr"

rootdn          "cn=admin,dc=sjsscr"
rootpw          {SSHA}<HERE IS A HASH>

directory       "/var/lib/ldap"


dbconfig set_cachesize 0 2097152 0


dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index           objectClass eq

lastmod         on

checkpoint      512 30


access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=sjsscr" write
        by anonymous auth
        by self write
        by * read

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=sjsscr" write
        by * read
ldap.conf:
Code:
base dc=sjsscr

uri ldapi:///127.0.0.1

ldap_version 3

rootbinddn cn=admin,dc=sjsscr

pam_password md5

nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,dnsmasq,games,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,openldap,polkituser,proxy,root,sshd,statd,sync,sys,syslog,uucp,www-data
ldap/ldap.conf:
Code:
BASE           dc=sjsscr
URI            ldap://127.0.0.1
#TS_REQCRT      allow

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

Last edited by fuzzyworm; 10-09-2008 at 03:42 PM. Reason: I left my rootpw in :(
 
Old 10-08-2008, 05:14 AM   #2
cisc0ninja
LQ Newbie
 
Registered: Oct 2008
Posts: 2

Rep: Reputation: 0
i was having the exact same issue

i have not fixed it yet, but i believe i just found out how!
i will implement this change once i get off work!

basicly if you can do a getent passwd username
and it shows up
but doesnt show up with the shadow password when you do a getent shadow username

you need to do a slappasswd -h (then the md5 password for the user which is located in your /etc/shadow file)

then the output encrypted password it gives you, you have to copy that and put it in an ldif for that user!

as shown from the example:
dn: cn=admin,dc=example
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP Administrator user
userPassword: {MD5}XXXXXXXXXXXXXXXXXXXXXX== <---(this is where you paste)

once that is added in it SHOULD work
i'll get back to you if it works for me or not, but i just thought of this and now need to go try myself.

-cisc0ninja
 
Old 10-08-2008, 05:15 AM   #3
cisc0ninja
LQ Newbie
 
Registered: Oct 2008
Posts: 2

Rep: Reputation: 0
the website/s i used

i used the web site: http://www.jukie.net/~bart/ldap/ldap...ian/index.html

which helped me

check out the part that shows the example ldif config of:
http://www.jukie.net/~bart/ldap/ldap...mple-base.ldif

-cisc0ninja
 
Old 10-09-2008, 04:51 PM   #4
fuzzyworm
Member
 
Registered: Sep 2003
Location: Stroud, UK
Distribution: Kubuntu, Debian
Posts: 149

Original Poster
Rep: Reputation: 15
Thanks for that, I had a quick look at the site, and I'll try it again.

I still haven't got it to work, but I'll let you know if I do.
 
Old 10-16-2008, 09:48 AM   #5
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
Once you get your admin user up and running, you really should install phpldapadmin on your LDAP server, it will allow you to administer / add / remove groups / users detail, make backups of your LDAP server and so on. Well worth it, and easy to use!
 
Old 01-01-2009, 03:29 PM   #6
fuzzyworm
Member
 
Registered: Sep 2003
Location: Stroud, UK
Distribution: Kubuntu, Debian
Posts: 149

Original Poster
Rep: Reputation: 15
Thanks everyone, I tried an unistall and reinstall, and somehow it now works, I have no idea what I did differently, but I'm not complaining.

Thanks for the phpldapadmin heads up, I do indeed use that, and it is very good.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM LDAP authentication password policy questions codeape Linux - Security 0 08-26-2008 02:10 AM
LDAP + PAM Password Policy. FragInHell Linux - Security 0 11-29-2007 10:16 PM
Major winbind problems in Ubuntu Dapper (authenticating with FC5 Samba LDAP PDC) mhs Linux - Enterprise 2 12-21-2006 06:01 PM
Pam Mysql Nss server-solution Linux - Software 1 02-24-2006 10:39 AM
PAM/shadow question: How do I force the password to be changed? clacour Linux - Security 1 03-25-2004 01:31 AM


All times are GMT -5. The time now is 10:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration