LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 09-21-2006, 04:34 AM   #1
piaf666
LQ Newbie
 
Registered: Sep 2006
Location: France
Posts: 4

Rep: Reputation: 0
openldap pam : User not known to the underlying authentication module


Hello there

I try to login with an ldap user named "test2", but it doesn't work. Explain ...

I'm using FC4. I have created ou=people in ldap and test2 posixAccount.


Via phpldapadmin I can authentified with Manager and test2.

When I login on test2 with the good password I get in /var/log/message :

Sep 21 09:05:46 buggy login(pam_unix)[2906]: check pass; user unknown
Sep 21 09:05:46 buggy login(pam_unix)[2906]: authentication failure; logname= uid=0 euid=0 tty=tty3 ruser= rhost=
Sep 21 09:05:47 buggy login(pam_unix)[2906]: could not identify user (from getpwnam(test2))
Sep 21 09:05:47 buggy login[2906]: User not known to the underlying authentication module


The same test with a bad password :

Sep 21 09:08:14 buggy login(pam_unix)[3364]: check pass; user unknown
Sep 21 09:08:14 buggy login(pam_unix)[3364]: authentication failure; logname= uid=0 euid=0 tty=tty3 ruser= rhost=
Sep 21 09:08:14 buggy login[3364]: pam_ldap: error trying to bind as user "cn=test2,ou=people,dc=test,dc=com" (Invalid credentials)
Sep 21 09:08:17 buggy login[3364]: FAILED LOGIN 1 FROM (null) FOR test2, Authentication failure


So slapd seems to work. Is it an account module problem or some thing like this ?

I made another test with the command id. Next this is the trace

[root@buggy ~]# strace -o info.txt id test2
id: test2: usager inexistant.

[root@buggy ~]# cat info.txt |grep -E '(nss|ldap)'
open("/etc/nsswitch.conf", O_RDONLY) = 3
read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1702
open("/lib/libnss_files.so.2", O_RDONLY) = 3
open("/lib/libnss_ldap.so.2", O_RDONLY) = 3
open("/etc/ldap.conf", O_RDONLY) = 3
read(3, "# @(#)$Id: ldap.conf,v 1.34 2004"..., 4096) = 4096
open("/etc/ldap.secret", O_RDONLY) = 3
open("/etc/openldap/ldap.conf", O_RDONLY) = 3
read(3, "# $OpenLDAP: pkg/ldap/libraries/"..., 4096) = 404
open("/root/ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/root/.ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory)


ldaprc is not find. Important thing ? I don't think.
/etc/nsswitch is set with ldap.
Next some config files

[root@buggy pam.d]# cat system-auth
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_localuser.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore] /lib/security/pam_ldap.so
account required /lib/security/pam_deny.so

password required /lib/security/pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow use_authtok
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so

[root@buggy pam.d]# cat login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open

ldap.conf
host 127.0.0.1
base dc=test,dc=com
rootbinddn cn=Manager,dc=test,dc=com
scope sub
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
nss_base_passwd ou=people,dc=test,dc=com?sub
nss_base_shadow ou=people,dc=test,dc=com?sub
nss_base_group ou=group,dc=test,dc=com?sub
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5


nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap


Any idea will be welcome (debog process, tips ...)

Thank you very much for your attention
Steph
 
Old 09-23-2006, 01:04 AM   #2
piaf666
LQ Newbie
 
Registered: Sep 2006
Location: France
Posts: 4

Original Poster
Rep: Reputation: 0
Well, I have updated nss_pam and now the id command give me an answer.
PAM yet reject login but work is in progress !

Bye
 
Old 10-09-2008, 03:27 PM   #3
membit
LQ Newbie
 
Registered: Nov 2006
Location: Finland
Distribution: OpenSuse
Posts: 26

Rep: Reputation: 15
Hello,

even so this is an old thread, I would like to rise it up, as I do have exactly the same problem.
Distribution is OpenSuse 10.2.

Authentication works but sshd and PAM returns following message to /var/log/messages file:
sshd [pid]: PAM: User not known to the underlying authentication module for [userID]

on sshd config PAM is enabled.
Also kerberos is not enabled.

Last edited by membit; 10-09-2008 at 03:32 PM.
 
Old 10-12-2008, 09:46 AM   #4
piaf666
LQ Newbie
 
Registered: Sep 2006
Location: France
Posts: 4

Original Poster
Rep: Reputation: 0
See you below a dump of the documentation I have written in 2006 about LDAP (in french as you can see ) . I have also documentation about LDAP+POSTFIX+SAMBA.
----------------

• Environnement

Système d’exploitation : Fedora Core 5 – noyau 2.6.15
Packages RPM :
- openldap-servers-2.3.19-4
- openldap-2.3.19-4
- openldap-clients-2.3.19-4
- nss_ldap-249-1

domaine : test.com

• Fichier /etc/hosts
Quote:
127.0.0.1 bunny.test.com bunny localhost
• Fichier /etc/openldap/slapd.conf. Fichier de configuration du démon slapd
Quote:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

allow bind_v2

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

database bdb
suffix "dc=test,dc=com"
rootdn "cn=manager,dc=test,dc=com"
rootpw secret
directory /var/lib/ldap

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

Notes :
- include : inclusion des différents schémas standards nécessaires à l'utilisation des attributs les plus courantes. Si un attribut est manquant il est possible de créer son propre schéma.
- suffix : DN suffixe utilisé pour l'interrogation de la base
- rootdn : DN n'ayant aucune restriction d'opérations sur la base

• Fichier /etc/ldap.conf
Quote:
host 127.0.0.1
base dc=test,dc=com
rootbinddn cn=manager,dc=test,dc=com
nss_initgroups_ignoreusers root,ldap

Notes :
- base : le DN de base pour les recherches par défaut
- rootbinddn : le DN utiliser par le root. Ce DN sera créé via le fichier LDIF ci dessous.

• Fichier /etc/ldap.secret. Contient le mot de passe utilisé par le poste client. Fichier en chmod 600.
Quote:
secret

• Fichier LDIF
Quote:
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain

dn: cn=manager,dc=test,dc=com
objectClass: organizationalRole
cn: manager

Note : ce fichier ldif permet d'ajouter l'entrée test et manager.

Insertion du fichier LDIF
# ldapadd –c –x –h localhost –D "cn=manager,dc=test,dc=com" –W –f lefichier.ldif


• Fichier /etc/pam.d/system-auth. Pluggable Authentication Module. Gère les tâches d'authentification des applications sur le système.
Quote:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_ldap.so [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore]
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

• Fichier /etc/nsswitch.conf. Précise où trouver les bases de données systèmes et dans quel ordre les interroger.
Quote:
passwd: files ldap
shadow: files ldap
group: files ldap

• Phpldapadmin

Utile pour gérer son annuaire ldap à partir d'un navigateur web. Outil développé en PHP.

A partir des informations précédentes et de l'insertion des données du fichier LDIF, il est possible de se connecter ainsi :
DN de connexion : cn=manager, dc=test, dc=com
mot de passe : secret

Exemple de peuplement de l'annuaire:

On rajoute l'OU group (organizationalUnit) pour stocker nos groupes d'utilisateurs
On rajoute le groupe CN user (posixGroup)

On rajoute l'OU people (organizationalUnit) pour stocker nos utilisateurs
On rajoute l'utilisateur user1 (posixAccount) qui appartient au groupe user, homedirectory: /home/user1 (à créer), loginshell: /bin/bash, uid: user1, userPassword (en md5), le groupe user.

Le home directory sera ensuite créé manuellement et les owner et group positionnés. En mode production il est donc à prévoir un (des) script de création de comptes à la volet (peuplement ldap, positionnement de autorisations, …).

• Débogage

Commande id : permet de retrouver les informations sur un compte. Typiquement on interrogera un compte système et un compte ldap pour vérifier que les bases systèmes sont correctement accédées. Permet donc de vérifier que ldap, nsswitch et pam sont configurés.
Exemple :
#id root
#id user1 (compte ldap)

commande getent : permet d’afficher l’intégralité des différentes bases (passwd, group, …)
Exemple :
#getent passwd
Affichera tous les comptes présent dans /etc/passwd et à la suite ceux trouvés dans ldap.

Commande tail – f /var/log/messages : pour suivre en temps réel les messages système lors des différents tests ldap.

• Tests

Test 1 : ouverture d’un shell sous Linux en utilisant un compte ldap

Test 2 : installation de Postfix et test d’envoi de message entre comptes locaux/ldap

Test 3 (non réalisé) : introduction de Samba. Utilisation des attributs samba (gestion des mots de passe – schéma samba et objectclass sambaSAMAccount). Voir la nécessité d’une OU computer pour inscrire les machines du domaine.


Annexe

• Fichier /etc/init.d/ldap : démarrage de slapd
Note : il peut être nécessaire de repositionner la priorité de démarrage et d'arrêt du service en cas de blocage au démarrage du serveur (chkconfig: - 27 73)
Quote:
#!/bin/bash
# ldap This shell script takes care of starting and stopping
# ldap servers (slapd and slurpd).
#
# chkconfig: - 27 73
# description: LDAP stands for Lightweight Directory Access Protocol, used \
# for implementing the industry standard directory services.
# processname: slapd
# config: /etc/openldap/slapd.conf
# pidfile: /var/run/openldap/slapd.pid
...
 
Old 10-21-2008, 11:31 AM   #5
membit
LQ Newbie
 
Registered: Nov 2006
Location: Finland
Distribution: OpenSuse
Posts: 26

Rep: Reputation: 15
Ok, I don't have dictionary to translate this
Anyway, do you remember what was the corrective action that you got rid of this message in your case:
Quote:
buggy login[2906]: User not known to the underlying authentication module
As I do have similar but from sshd
Quote:
sshd [pid]: PAM: User not known to the underlying authentication module for [userID]
 
Old 10-22-2008, 03:11 AM   #6
piaf666
LQ Newbie
 
Registered: Sep 2006
Location: France
Posts: 4

Original Poster
Rep: Reputation: 0
Sorry I don't remember.
Quote:
Well, I have updated nss_pam and now the id command give me an answer.
You need to respect the degug process describe upper (french comments but english command)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
passwd: User not known to the underlying authentication module tinaa Linux - General 2 05-18-2008 11:54 AM
OpenLdap PAM UID vs Username Authentication zerovice Linux - Enterprise 0 12-05-2005 10:38 PM
Setup OpenLDAP or OpenRadius Server for User Authentication? Akhran Linux - Newbie 1 08-10-2005 05:55 AM
Writting PAM Module for custom authentication? existo Linux - Networking 0 05-05-2004 06:07 PM
passwd: User not known to the underlying authentication module ar1 Linux - Security 5 04-09-2004 05:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 07:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration