fuzzyworm |
09-22-2008 04:59 PM |
Ubuntu 8.04 / LDAP / NSS / PAM - not sharing shadow password hence not authenticating
Dear all,
I'm trying to set up a Single Sign-On server, with all sorts of fancy bells and whistles, however, I'm having a spot of bother getting the LDAP working.
I have followed the Ubuntu tutorials:
https://help.ubuntu.com/community/OpenLDAPServer
https://help.ubuntu.com/community/LD...Authentication
I have succeeded in getting LDAP installed, and populated with some sample data (Lionel Porcheron is from the sample in one of the tutorials, in case anyone's curious):
Code:
dn: dc=sjsscr
objectClass: top
objectClass: dcObject
objectClass: organization
o: sjsscr
dc: sjsscr
structuralObjectClass: organization
entryUUID: d7ae7f30-1ae6-102d-8447-15d4f12ff726
creatorsName:
createTimestamp: 20080919223419Z
entryCSN: 20080919223419.031498Z#000000#000#000000
modifiersName:
modifyTimestamp: 20080919223419Z
dn: cn=admin,dc=sjsscr
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <HERE IS A HASH>
structuralObjectClass: organizationalRole
entryUUID: d7af6026-1ae6-102d-8448-15d4f12ff726
creatorsName:
createTimestamp: 20080919223419Z
entryCSN: 20080919223419.037426Z#000000#000#000000
modifiersName:
modifyTimestamp: 20080919223419Z
dn: ou=people,dc=sjsscr
objectClass: organizationalUnit
ou: people
structuralObjectClass: organizationalUnit
entryUUID: 23b1d436-1ae7-102d-9940-e5554e7aba35
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080919223626Z
entryCSN: 20080919223626.560366Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080919223626Z
dn: ou=groups,dc=sjsscr
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit
entryUUID: 23b267d4-1ae7-102d-9941-e5554e7aba35
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080919223626Z
entryCSN: 20080919223626.564146Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080919223626Z
dn: uid=lionel,ou=people,dc=sjsscr
l: Toulouse
o: Example
uidNumber: 1050
cn: Lionel Porcheron
mobile: +33 (0)6 xx xx xx xx
title: System Administrator
loginShell: /bin/bash
gecos: Lionel Porcheron
uid: lionel
initials: LP
homePhone: +33 (0)5 xx xx xx xx
sn: Porcheron
gidNumber: 1050
homeDirectory: /home/lionel
postalCode: 31000
displayName: Lionel Porcheron
givenName: Lionel
mail: lionel.porcheron@example.com
structuralObjectClass: inetOrgPerson
entryUUID: 76739cd8-1b49-102d-9a70-4db677d54d65
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080920102016Z
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
userPassword:: <HERE IS A HASH>
entryCSN: 20080920104638.674650Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080920104638Z
dn: cn=lionel,ou=groups,dc=sjsscr
gidNumber: 1050
cn: lionel
objectClass: posixGroup
memberUid: lionel
structuralObjectClass: posixGroup
entryUUID: 7674fea2-1b49-102d-9a71-4db677d54d65
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080920102016Z
entryCSN: 20080920102016.092077Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080920102016Z
dn: cn=Joe B. Bloggs,ou=people,dc=sjsscr
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
displayName: Joe B. Bloggs
uidNumber: 1051
cn: Joe B. Bloggs
initials: B
loginShell: /bin/bash
gecos: Joe B. Bloggs
uid: jbloggs
sn: Bloggs
userPassword:: <HERE IS A HASH>
gidNumber: 1050
homeDirectory: /home/jbloggs
givenName: Joe
structuralObjectClass: inetOrgPerson
entryUUID: ba00e914-1d0c-102d-9677-459d07d375fb
creatorsName: cn=admin,dc=sjsscr
createTimestamp: 20080922161032Z
entryCSN: 20080922161032.441420Z#000000#000#000000
modifiersName: cn=admin,dc=sjsscr
modifyTimestamp: 20080922161032Z
I can then access this data with:
Code:
# ldapsearch -xLLL -b "dc=sjsscr" uid=lionel sn givenName cn
dn: uid=lionel,ou=people,dc=sjsscr
cn: Lionel Porcheron
sn: Porcheron
givenName: Lionel
I can even switch user from root to Lionel or Joe Bloggs, however, when I try to start a new shell, either SSH or on a TTY, it won't authenticate.
I did getent:
Code:
# getent shadow lionel
lionel:*:::::::0
# getent passwd lionel
lionel:x:1050:1050:Lionel Porcheron:/home/lionel:/bin/bash
As you can see, it has no problem getting the passwd details, but it's not getting the Shadow password. I presume that this is why the thing won't authenticate.
I have included my setup details below, if anyone has had any luck getting this combination working, I would be most grateful for some pointers. If you need more info. re. my setup, please let me know.
nsswitch.conf:
Code:
# /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
# Note I have tried 'compat' and 'files' for this, it seemed to make no difference.
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup:
pam.d/common-account:
Code:
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
pam.d/common-auth:
Code:
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam.d/common-password:
Code:
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
pam.d/common-session:
Code:
session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_unix.so
session optional pam_ldap.so
ldap/slapd.conf:
Code:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb
suffix "dc=sjsscr"
rootdn "cn=admin,dc=sjsscr"
rootpw {SSHA}<HERE IS A HASH>
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=sjsscr" write
by anonymous auth
by self write
by * read
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=sjsscr" write
by * read
ldap.conf:
Code:
base dc=sjsscr
uri ldapi:///127.0.0.1
ldap_version 3
rootbinddn cn=admin,dc=sjsscr
pam_password md5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,dnsmasq,games,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,openldap,polkituser,proxy,root,sshd,statd,sync,sys,syslog,uucp,www-data
ldap/ldap.conf:
Code:
BASE dc=sjsscr
URI ldap://127.0.0.1
#TS_REQCRT allow
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
|