Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been reading everything I can find on how to get this working with no luck. I am trying to get pam authentication to use ldap and with su and ssh the following errors are logged to /var/log/messages:
Jan 21 13:30:29 foo.bar.com sshd[9562]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 21 13:31:10 foo.bar.com su: pam_ldap: ldap_simple_bind Can't contact LDAP server
If I do an ldapsearch from this same machine it works:
ldapsearch -x -b "dc=bar,dc=com" cn=brandon
...
I'm not clear on if /etc/pam_ldap.conf needs to exist or if /etc/ldap.conf is sufficient for pam. This is on a
I've been reading everything...<SNIP>...Thanks for any help. Brandon
This isn't a direct help since it's debian and not fedora, but I do know all the steps are included and that was the problem I ran into when I was attempting to implement this. YMMV but this DOES include everything necessary to get ldap pam and libnss stuff to work if you have the right packages installed.
Code:
Replace /etc/ldap/slapd.conf with the following:
—
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
database bdb
suffix “dc=fakedom,dc=dom”
rootdn “cn=admin,dc=fakedom,dc=dom”
rootpw (run slappasswd and paste output here)
directory “/var/lib/ldap”
lastmod on
access to attrs=userPassword,shadowLastChange
by dn=”cn=admin,dc=fakedom,dc=dom” write
by anonymous auth
by self write
by * none
access to *
by dn=”cn=admin,dc=fakedom,dc=dom” write
by * read
—
Replace /etc/nsswitch.conf with the following:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference’ and `info’ packages installed, try:
# `info libc “Name Service Switch”‘ for information about this file.
passwd: compat ldap
group: compat
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
—
Replace /etc/libnss-ldap.conf with the following:
—
base dc=fakedom,dc=dom
uri ldap://127.0.0.1
ldap_version 3
rootbinddn cn=admin,dc=fakedom,dc=dom
—
Replace /etc/pam_ldap.conf with the following:
—
host 127.0.0.1
base dc=fakedom,dc=dom
uri ldap://127.0.0.1
ldap_version 3
rootbinddn cn=admin,dc=fakedom,dc=dom
pam_password exop
—
Replace /etc/ldap/ldap.conf with the following:
—
BASE dc=fakedome, dc=dom
URI ldap://127.0.0.1
—
Create a base.ldif file in /tmp to import into the directory to test against:
—
dn: dc=fakedom,dc=dom
objectClass: top
objectClass: dcObject
objectClass: organization
o: fakedom.dom
dc: fakedom
dn: cn=admin,dc=fakedom,dc=dom
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: (Paste output from slappasswd)
dn: ou=People,dc=fakedom,dc=dom
ou: People
objectClass: organizationalUnit
objectClass: top
dn: uid=testy,ou=People,dc=fakedom,dc=dom
uid: testy
cn: testy
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/testy
gecos: Testy,,,,
userPassword: (Paste output from slappasswd)
—
#/etc/init.d/slapd restart
#ldapadd -x -W -D ‘cn=admin,dc=fakedom,dc=dom’ -f /tmp/base.ldif (enter password when prompted)
# /etc/init.d/slapd restart
# getent passwd | grep testy (should return testy’s entry)
# /etc/init.d/openbsd-inetd start
# telnet localhost and use testy’s login credentials, if it works you’re set... if not reread and try again.
Thanks for the reply. I'll give your suggestions a try.
Something I failed to mention which is probably very relevant is that I can't get local accounts in /etc/passwd to work either. Even with local accounts, I get the same error in /var/log/messages about not being to contact the LDAP server. Maybe this means something more fundamental is wrong.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.