LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 08-30-2012, 04:30 AM   #1
samanka80
Member
 
Registered: Aug 2012
Posts: 85

Rep: Reputation: Disabled
pam_ldap can not bind /why?


Hi

I have a ldap server on freebsd 9 connecting to an Active Directory server and it can see AD perfectly. I also have krb5 on my ldap server which seems to be working fine, using kinit. pam_ldap, nss_ldap and pam_krb5 are also installed.

Now that I want to "su alex", and alex is in active directory, I have error below:

Aug 30 11:06:32 ldap su: pam_ldap: error trying to bind (Invalid credentials)
Aug 30 11:06:32 ldap su: in _openpam_check_error_code(): pam_sm_acct_mgmt(): unexpected return value 11


I know that it is because of the first try for binding maybe to ldap server. I have been looking everywhere for it, I realized that pam_ldap is using the same ldap.conf file, here is my ldap.conf file:

-------------------

host 10.0.5.38 #this is the IP of Active directory server
uri ldap://ldap.seth.local/
base dc=seth,dc=local
binddn cn=ldap,cn=users,dc=seth,dc=local
bindpw *******
scope sub
ssl no
pam_password ad
pam_groupdn DC=seth,DC=local?sub
pam_member_attribute uniquemember

nss_base_passwd dc=seth,dc=local?sub
nss_base_shadow dc=seth,dc=local?sub
nss_base_group dc=seth,dc=local?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn

-------

as pam_ldap is trying to connect to ldap (I guess) the ip address in host 10.0.5.38 can not work for it (should it?? am I right??) people talk about a file named pam_ldap.conf, I don't have it on my system, on freebsd 9. I created one in /etc, it didn't work.

can you please give me some detail info about connecting pam_ldap to use ldap and connect to active directory?? I have read every manual I have found but I can not find anything usefull...

Thanks
 
Old 08-30-2012, 04:48 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
if you're using pam_ldap then you won't need any kerberos stuff at all.

Can you bind to AD manually from there? There is no "first time" status at all, don't worry about that.

Try an ldapsearch and don't worry about anything else until you know you can get a successfully bind that way.

THEN once that's done look to update the ldap config based on what you're found, if anything, and if ther's still no progress I would personally look to capture the traffic (plain ldap on 389 only of course) and inspect the ldap operations with wireshark, comparing pam to ldapsearch for differences.

One thing I'd mention is that you haven't said you've installed the AD extensions for UNIX? I'm not sure what they're called, but by default there si not enough data in AD to support POSIX logins
 
1 members found this post helpful.
Old 08-30-2012, 05:02 AM   #3
samanka80
Member
 
Registered: Aug 2012
Posts: 85

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
if you're using pam_ldap then you won't need any kerberos stuff at all.

Can you bind to AD manually from there? There is no "first time" status at all, don't worry about that.

Try an ldapsearch and don't worry about anything else until you know you can get a successfully bind that way.

THEN once that's done look to update the ldap config based on what you're found, if anything, and if ther's still no progress I would personally look to capture the traffic (plain ldap on 389 only of course) and inspect the ldap operations with wireshark, comparing pam to ldapsearch for differences.

One thing I'd mention is that you haven't said you've installed the AD extensions for UNIX? I'm not sure what they're called, but by default there si not enough data in AD to support POSIX logins
Yes, I have done all of them, I can see my whole AD with ldapsearch,I can both ldapsearch and also getent passwd user, are you sure about not needing kerberos??

Is it possible to use krb5 and pam_krb5 and not use pam_ldap??
 
Old 08-30-2012, 05:19 AM   #4
samanka80
Member
 
Registered: Aug 2012
Posts: 85

Original Poster
Rep: Reputation: Disabled
THANKS ALOOOOOOT for the clue!!!!

I did it! I just used kerberos! I think my config had some problem with pam_ldap.... I will look for it...

THANK YOU!!!!
 
Old 08-30-2012, 05:24 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
pam_ldap is used to validate a users credentials, you use nss_ldap to get the user data from ldap and pam_ldap to check the password. These things having nothing in common, they really just coincide for a common goal. So you can use nss_ldap for the data from AD and the pam_krb5 for the authentication side of things if you want. If that IS the case then you've no interest in pam_ldap. In the first place. You *could* validate the password twice, but what's the point of that?

So if you can ldapsearch **BINDING AS THE CHOSEN USER** not the generic search account (which is what's used for the nss getent goodness) then as above I would compare and contrast with wireshark. But that's my solution for just about everything!
 
1 members found this post helpful.
Old 08-30-2012, 05:26 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Ahh, cool well whatever you're happy with is fine, but I would ask if you're already polling account info over ldap why change protocol to check the password if you're not interested in SSO stuff that Kerberos can provide. Maybe you'd actually rather look at doign that "properly" and used winbind for domain membership?
 
1 members found this post helpful.
Old 08-30-2012, 06:17 AM   #7
samanka80
Member
 
Registered: Aug 2012
Posts: 85

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
Ahh, cool well whatever you're happy with is fine, but I would ask if you're already polling account info over ldap why change protocol to check the password if you're not interested in SSO stuff that Kerberos can provide. Maybe you'd actually rather look at doign that "properly" and used winbind for domain membership?
Yes, I am going to dig into it, actually my boss needs it right now, so I have to stop here! But I am going to have a cute home lab and do them all over again and test what's going on I can find nothing for pam_ldap configuration in freebsd 9 and everybody is talking about a pam_ldap.conf which exists in like freebsd 8... I read pam_ldap manual and it says pam_ldap uses ldap.conf for configuration, but it is not prommissed that it always works :O it says you should use other files, and my problem is that I don't know what those other files are!

Anyway I am cleaning up right now and going to put the things I found in topics I have written, I'll be back
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
pam_ldap: ldap_simple_bind naivelinux Linux - Newbie 1 07-03-2008 04:07 PM
pam_ldap - I'm not even using it but keeps looking for it Micro420 SUSE / openSUSE 1 12-12-2007 06:13 PM
how to install pam_ldap? mel82 Slackware - Installation 1 02-18-2005 01:21 PM
need help for pam_ldap!!! ahshin Linux - Networking 0 10-08-2003 07:40 PM
PAM_LDAP and eDirectory Trucker Linux - Networking 2 02-25-2003 02:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration