Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-30-2012, 04:30 AM
|
#1
|
Member
Registered: Aug 2012
Posts: 85
Rep:
|
pam_ldap can not bind /why?
Hi
I have a ldap server on freebsd 9 connecting to an Active Directory server and it can see AD perfectly. I also have krb5 on my ldap server which seems to be working fine, using kinit. pam_ldap, nss_ldap and pam_krb5 are also installed.
Now that I want to "su alex", and alex is in active directory, I have error below:
Aug 30 11:06:32 ldap su: pam_ldap: error trying to bind (Invalid credentials)
Aug 30 11:06:32 ldap su: in _openpam_check_error_code(): pam_sm_acct_mgmt(): unexpected return value 11
I know that it is because of the first try for binding maybe to ldap server. I have been looking everywhere for it, I realized that pam_ldap is using the same ldap.conf file, here is my ldap.conf file:
-------------------
host 10.0.5.38 #this is the IP of Active directory server
uri ldap://ldap.seth.local/
base dc=seth,dc=local
binddn cn=ldap,cn=users,dc=seth,dc=local
bindpw *******
scope sub
ssl no
pam_password ad
pam_groupdn DC=seth,DC=local?sub
pam_member_attribute uniquemember
nss_base_passwd dc=seth,dc=local?sub
nss_base_shadow dc=seth,dc=local?sub
nss_base_group dc=seth,dc=local?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
-------
as pam_ldap is trying to connect to ldap (I guess) the ip address in host 10.0.5.38 can not work for it (should it?? am I right??) people talk about a file named pam_ldap.conf, I don't have it on my system, on freebsd 9. I created one in /etc, it didn't work.
can you please give me some detail info about connecting pam_ldap to use ldap and connect to active directory?? I have read every manual I have found but I can not find anything usefull...
Thanks
|
|
|
08-30-2012, 04:48 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
if you're using pam_ldap then you won't need any kerberos stuff at all.
Can you bind to AD manually from there? There is no "first time" status at all, don't worry about that.
Try an ldapsearch and don't worry about anything else until you know you can get a successfully bind that way.
THEN once that's done look to update the ldap config based on what you're found, if anything, and if ther's still no progress I would personally look to capture the traffic (plain ldap on 389 only of course) and inspect the ldap operations with wireshark, comparing pam to ldapsearch for differences.
One thing I'd mention is that you haven't said you've installed the AD extensions for UNIX? I'm not sure what they're called, but by default there si not enough data in AD to support POSIX logins
|
|
1 members found this post helpful.
|
08-30-2012, 05:02 AM
|
#3
|
Member
Registered: Aug 2012
Posts: 85
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
if you're using pam_ldap then you won't need any kerberos stuff at all.
Can you bind to AD manually from there? There is no "first time" status at all, don't worry about that.
Try an ldapsearch and don't worry about anything else until you know you can get a successfully bind that way.
THEN once that's done look to update the ldap config based on what you're found, if anything, and if ther's still no progress I would personally look to capture the traffic (plain ldap on 389 only of course) and inspect the ldap operations with wireshark, comparing pam to ldapsearch for differences.
One thing I'd mention is that you haven't said you've installed the AD extensions for UNIX? I'm not sure what they're called, but by default there si not enough data in AD to support POSIX logins
|
Yes, I have done all of them, I can see my whole AD with ldapsearch,I can both ldapsearch and also getent passwd user, are you sure about not needing kerberos??
Is it possible to use krb5 and pam_krb5 and not use pam_ldap??
|
|
|
08-30-2012, 05:19 AM
|
#4
|
Member
Registered: Aug 2012
Posts: 85
Original Poster
Rep:
|
THANKS ALOOOOOOT for the clue!!!!
I did it! I just used kerberos! I think my config had some problem with pam_ldap.... I will look for it...
THANK YOU!!!!
|
|
|
08-30-2012, 05:24 AM
|
#5
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
pam_ldap is used to validate a users credentials, you use nss_ldap to get the user data from ldap and pam_ldap to check the password. These things having nothing in common, they really just coincide for a common goal. So you can use nss_ldap for the data from AD and the pam_krb5 for the authentication side of things if you want. If that IS the case then you've no interest in pam_ldap. In the first place. You *could* validate the password twice, but what's the point of that?
So if you can ldapsearch **BINDING AS THE CHOSEN USER** not the generic search account (which is what's used for the nss getent goodness) then as above I would compare and contrast with wireshark. But that's my solution for just about everything!
|
|
1 members found this post helpful.
|
08-30-2012, 05:26 AM
|
#6
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Ahh, cool well whatever you're happy with is fine, but I would ask if you're already polling account info over ldap why change protocol to check the password if you're not interested in SSO stuff that Kerberos can provide. Maybe you'd actually rather look at doign that "properly" and used winbind for domain membership?
|
|
1 members found this post helpful.
|
08-30-2012, 06:17 AM
|
#7
|
Member
Registered: Aug 2012
Posts: 85
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
Ahh, cool well whatever you're happy with is fine, but I would ask if you're already polling account info over ldap why change protocol to check the password if you're not interested in SSO stuff that Kerberos can provide. Maybe you'd actually rather look at doign that "properly" and used winbind for domain membership?
|
Yes, I am going to dig into it, actually my boss needs it right now, so I have to stop here! But I am going to have a cute home lab and do them all over again and test what's going on I can find nothing for pam_ldap configuration in freebsd 9 and everybody is talking about a pam_ldap.conf which exists in like freebsd 8... I read pam_ldap manual and it says pam_ldap uses ldap.conf for configuration, but it is not prommissed that it always works :O it says you should use other files, and my problem is that I don't know what those other files are!
Anyway I am cleaning up right now and going to put the things I found in topics I have written, I'll be back
|
|
|
All times are GMT -5. The time now is 10:02 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|