|
Authentication Failure In pam_ldap ?
Dear pam_ldap experts,
This is Jyotishmaan. Please let me know why i am getting these errors, while executing ssh command. before that i would like to say this that this user is there in my ldap server. Proof of this is given below this command sample output which i got by executing the command, finger "jmaan".
[root@authdns etc]# ssh authdns.nits.ac.in -l jmaan
jmaan@authdns.nits.ac.in's password:
Permission denied, please try again.
jmaan@authdns.nits.ac.in's password:
Permission denied, please try again.
jmaan@authdns.nits.ac.in's password:
Permission denied (publickey,gssapi-with-mic,password).
[root@authdns etc]#
[root@authdns etc]# finger jmaan
Login: jmaan Name: jmaan
Directory: /home/jmaan Shell: /bin/bash
Last login Wed Nov 28 19:29 (IST) on pts/6 from authdns.nits.ac.in
No mail.
No Plan.
[root@authdns etc]#
The output of the command- id "jmaan", is also given below:-
[root@authdns etc]# id jmaan
uid=623(jmaan) gid=623 groups=623 context=root:system_r:unconfined_t:s0-s0:c0.c1023
[root@authdns etc]#
This is the proof, that both the users are there in my ldap server database.Now please look at below the lines of /etc/ldap.conf file of my ldap server machine are also shown as below:-
[root@authdns etc]# grep '^[^#]' /etc/ldap.conf
host 127.0.0.1
base dc=nits,dc=ac,dc=in
uri ldap://127.0.0.1/
ldap_version 3
scope sub
timelimit 120
bind_timelimit 120
bind_policy hard
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_login_attribute uid
nss_base_passwd uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
nss_base_passwd uid=ldapusr,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
pam_sasl_mech DIGEST-MD5
uri ldap://127.0.0.1/
ssl no
tls_cacertdir /etc/openldap/cacerts
sasl_authid nssldap/localhost.localdomain
rootuse_sasl yes
rootsasl_auth_id nssldap/localhost.localdomain
pam_password md5
[root@authdns etc]#
Please let me know what went wrong or has to be included in this file.
Also the output of the command,
/usr/bin/authconfig-tui
where i had set up the Authentication configuration using LDAP, that uses MD 5 password, and Local Authorization (i dont knw however if this is important).
The authentication configuartion can also be set using the command:-
system-config-authentication
where the configuration can be set up through the GUI.
Now please tell me why this command is also not executing:-
ldapwhoami
Should i use the Manager's (of LDAP server having all adminitrative privileges) or simpy userid- root's password.( MD5 password )?
When i used the Manager's MD5 password i got the following error:-
[root@authdns etc]# ldapwhoami
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
[root@authdns etc]#
Also please see the log of /var/log/messages file for the errors when the user ldapusr/ jmaan tried logging onto the LDAP server machine, through the GUI of Linux fedora os.
Dec 12 14:30:41 authdns gdm[4091]: Couldn't authenticate user
Dec 12 14:30:50 authdns gdm[4091]: pam_ldap: error trying to bind as user "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid credentials)
Dec 12 14:30:52 authdns gdm[4091]: Couldn't authenticate user
Dec 12 14:31:00 authdns gdm[4091]: pam_ldap: error trying to bind as user "uid=ldapusr,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid credentials)
All these above lines were got with slightly different version of /etc/ldap.conf.
The following lines of /var/log/messages were obtained from the above version of /etc/ldap.conf file as mentioned above.
Dec 12 15:15:36 authdns gdm[4091]: Couldn't authenticate user
Dec 12 15:16:13 authdns gdm[4091]: Couldn't authenticate user
Dec 12 15:16:56 authdns last message repeated 3 times
Dec 12 15:17:05 authdns gconfd (root-14308): starting (version 2.18.0.1), pid 14308 user 'root'
Dec 12 15:17:05 authdns gconfd (root-14308): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Dec 12 15:17:05 authdns gconfd (root-14308): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1
Dec 12 15:17:05 authdns gconfd (root-14308): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Dec 12 15:17:06 authdns gconfd (root-14308): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 0
Dec 12 15:17:08 authdns setroubleshoot: [rpc.ERROR] attempt to open server connection failed: (2, 'No such file or directory'
Please kindly let me where and why my authentication is failing ???
With Warm Cheering Regards,
Jyotishmaan ldap.conf
|
|
Re: Authentication Failure In pam_ldap ?
can the user login via a console does that work
On Wed, Dec 12, 2007 at 04:55:57AM -0800, Jyotishmaan wrote:
>
> Dear pam_ldap experts,
>
[snip]
> [root@authdns etc]# ldapwhoami SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
> [root@authdns etc]#
you are trying to bind with sasl is that setup , you might want to try
ldapwhoami with -D
>
> Also please see the log of /var/log/messages file for the errors when the
> user ldapusr/ jmaan tried logging onto the LDAP server machine, through the
> GUI of Linux fedora os.
>
>
> Dec 12 14:30:41 authdns gdm[4091]: Couldn't authenticate user
> Dec 12 14:30:50 authdns gdm[4091]: pam_ldap: error trying to bind as user
> "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid
> credentials)
sounds like password problems
try
ldapseach -D "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" -x
once that is working then move on to the pam problem
[snip]
might also want to try login in via a console as well
|
|
Re: Authentication Failure In pam_ldap ?
This command ldapwhoami -D does not give successful result.
[root@authdns etc]# ldapwhoami
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
[root@authdns etc]#
ldap.conf
|
|
Re: Authentication Failure In pam_ldap ?
Alex,
My slapd.conf file is shown as below:
[root@authdns openldap]# egrep -v '^(^$|#)' /etc/ldap.conf
base dc=nits,dc=ac,dc=in
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
uri ldap://127.0.0.1/
ssl no
pam_password md5
[root@authdns openldap]# egrep -v '^(^$|#)' /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/nit.schema
access to * by * read
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=nits,dc=ac,dc=in"
rootdn "cn=Manager,dc=nits,dc=ac,dc=in"
rootpw {SSHA}Y3RagOP7u3FsNbHCnPVLwsxUepwIgezo
directory /var/lib/ldap
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
access to attrs=userPassword
by * auth
by self write
access to *
by * read
lastmod on
access to * by users read
[root@authdns openldap]#
Please let me know if i have to include any modules like as shown below:-
# Load dynamic backend modules:
# modulepath /usr/lib/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
Thanks,
Jyotishmaan
|
|
 Re: Authentication Failure In pam_ldap ?
On Thu, Dec 13, 2007 at 10:26:02PM -0800, Jyotishmaan Ray wrote:
> Dear Alex,
>
> Thank you for you reply!!!
should try and keep it on the list
>
> As of now i am trying to log on to the server, using the userid - "jmaan" and "ldapusr", but could not log on.
>
> The /etc/ldap.conf file is enclosed with this mail as an attachement. And the output of the command, getent passwd jmaan is shown below:-
> [root@authdns ~]# getent passwd jmaan
> jmaan:*:623:623:jmaan:/home/jmaan:/bin/bash
> [root@authdns ~]# getent passwd ldapusr
> ldapusr:*:625:625:ldapusr:/home/ldapusr:/bin/bash
> [root@authdns ~]#
>
> Which shows pam_ldap os working fine. Even the getent passwd is working fine.
i believe getent uses libnss not libpam-ldap
>
> The output of the command ssh "hostname" -l "uid" is also shown below:-
>
> [root@authdns ~]# ssh authdns.nits.ac.in -l jmaan
> jmaan@...'s password:
> Permission denied, please try again.
> jmaan@...'s password:
> Permission denied, please try again.
> jmaan@...'s password:
> Permission denied (publickey,gssapi-with-mic,password).
> [root@authdns ~]# ssh authdns.nits.ac.in -l ldapusr
> ldapusr@...'s password:
> Permission denied, please try again.
> ldapusr@...'s password:
> Permission denied, please try again.
> ldapusr@...'s password:
> Permission denied (publickey,gssapi-with-mic,password).
> [root@authdns ~]#
>
>
> Please Alex, kindly investigate and help me as soon as possible.
you have to look at the out the output from slapd, it the other emails you had
authentication errors in your slapd output
|
|
Re: Authentication Failure In pam_ldap ?
On Thu, Dec 13, 2007 at 11:23:17PM -0800, jyotishmaan@... wrote:
> Hello Alex,
>
> Please find below the reply of your mail.
>
> Alex Samad wrote:
> >
> > can the user login via a console does that work
> > On Wed, Dec 12, 2007 at 04:55:57AM -0800, Jyotishmaan wrote:
> >>
> >> Dear pam_ldap experts,
> >>
> > [snip]
> >
> >> [root@authdns etc]# ldapwhoami SASL/DIGEST-MD5 authentication started
> >> Please enter your password:
> >> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >> additional info: SASL(-13): user not found: no secret in database
> >> [root@authdns etc]#
> >
> > you are trying to bind with sasl is that setup , you might want to try
> > ldapwhoami with -D
>
>
>
> This command ldapwhoami -D does not give successful result.
>
> [root@authdns etc]# ldapwhoami
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
> [root@authdns etc]#
>
>
> Now when i tried using the command ldapsearch as show below, it didnt work fine. It is shown below:-
>
> [root@authdns bin]# ldapsearch -D 'uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in'
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
> [root@authdns bin]# ldapsearch -W -D 'uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in'
> Enter LDAP Password:
> SASL/DIGEST-MD5 authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
> [root@authdns bin]#
>
>
> [root@authdns bin]# ldapsearch -x -b 'uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in'
> # extended LDIF
> #
> # LDAPv3
> # base <uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # jmaan, non-teach, compcen, nits.ac.in
> dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> uid: jmaan
> cn: jmaan
> objectClass: account
> objectClass: posixAccount
> loginShell: /bin/bash
> uidNumber: 623
> gidNumber: 623
> homeDirectory: /home/jmaan
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root@authdns bin]#
>
> However when ldapsearch -x -b options, it executes successfully. The same command doesnt work with -W And -D options.
>
> The options -x means without using sasl,
> however the option -b means, probably the base ??? (i will check it out) ?
> Please tell me why i am not able to log on to the server machine as "jmaan" or "ldapusr" ??
> Also why ssh authdns.nits.ac.in -l jmaan or ldapusr is not working fine ??
>
> Please give reasons why they are failing ??????
You need to try -x for simple auth (do you have sasl setup ?) and -D to provide
the bind cn, all you have done above is prove you have annonymous access and
that the dn uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in exists
>
> Thank you so much for fast responses !!!
>
>
> Jyotishmaan
>
>
>
>
> >>
> >> Also please see the log of /var/log/messages file for the errors when the
> >> user ldapusr/ jmaan tried logging onto the LDAP server machine, through
> >> the
> >> GUI of Linux fedora os.
> >>
> >>
> >> Dec 12 14:30:41 authdns gdm[4091]: Couldn't authenticate user
> >> Dec 12 14:30:50 authdns gdm[4091]: pam_ldap: error trying to bind as user
> >> "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid
> >> credentials)
> > sounds like password problems
> >
> > try
> >
> > ldapseach -D "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in"
> > -x
> >
> > once that is working then move on to the pam problem
> >
> >
> > [snip]
> >
> > might also want to try login in via a console as well
> >>
> >>
> >> Please kindly let me where and why my authentication is failing ???
> >>
> >> With Warm Cheering Regards,
> >> Jyotishmaan http://www.nabble.com/file/p14292650/ldap.conf ldap.conf
> >> --
> >> View this message in context:
> >> http://www.nabble.com/Authentication-Failure-In-pam_ldap---tp14292650p14292650.html> >> Sent from the PAM LDAP mailing list archive at Nabble.com.
> >>
> >>
> >
> >
> >
> Quoted from:
> http://www.nabble.com/Authentication-Failure-In-pam_ldap---tp14292650p14327472.html>
>
|
|
Re: Authentication Failure In pam_ldap ?
Hello Alex,
i have tried using -D and without using -x, as shown below, however the output of these commands are not successful.
They are shown as below:-
[root@authdns ~]# ldapsearch -D 'uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in'
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
Now the question is, should i enable sasl/ tls in my /etc/ldap.conf file ?
Is it that, we need to have by default -
LDAP authentication ??
Thanks And Regards,
Jyotishmaan
Alex Samad wrote:
On Thu, Dec 13, 2007 at 11:23:17PM -0800, jyotishmaan@yahoo.com wrote:
> Hello Alex,
>
> Please find below the reply of your mail.
>
> Alex Samad wrote:
> >
> > can the user login via a console does that work
> > On Wed, Dec 12, 2007 at 04:55:57AM -0800, Jyotishmaan wrote:
> >>
> >> Dear pam_ldap experts,
> >>
> > [snip]
> >
> >> [root@authdns etc]# ldapwhoami SASL/DIGEST-MD5 authentication started
> >> Please enter your password:
> >> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >> additional info: SASL(-13): user not found: no secret in database
> >> [root@authdns etc]#
> >
> > you are trying to bind with sasl is that setup , you might want to try
> > ldapwhoami with -D
>
>
>
> This command ldapwhoami -D does not give successful result.
>
> [root@authdns etc]# ldapwhoami
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
> [root@authdns etc]#
>
>
> Now when i tried using the command ldapsearch as show below, it didnt work fine. It is shown below:-
>
> [root@authdns bin]# ldapsearch -D 'uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in'
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
> [root@authdns bin]# ldapsearch -W -D 'uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in'
> Enter LDAP Password:
> SASL/DIGEST-MD5 authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
> [root@authdns bin]#
>
>
> [root@authdns bin]# ldapsearch -x -b 'uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in'
> # extended LDIF
> #
> # LDAPv3
> # base <uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # jmaan, non-teach, compcen, nits.ac.in
> dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> uid: jmaan
> cn: jmaan
> objectClass: account
> objectClass: posixAccount
> loginShell: /bin/bash
> uidNumber: 623
> gidNumber: 623
> homeDirectory: /home/jmaan
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root@authdns bin]#
>
> However when ldapsearch -x -b options, it executes successfully. The same command doesnt work with -W And -D options.
>
> The options -x means without using sasl,
> however the option -b means, probably the base ??? (i will check it out) ?
> Please tell me why i am not able to log on to the server machine as "jmaan" or "ldapusr" ??
> Also why ssh authdns.nits.ac.in -l jmaan or ldapusr is not working fine ??
>
> Please give reasons why they are failing ??????
You need to try -x for simple auth (do you have sasl setup ?) and -D to provide
the bind cn, all you have done above is prove you have annonymous access and
that the dn uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in exists
>
> Thank you so much for fast responses !!!
>
>
> Jyotishmaan
>
>
>
>
> >>
> >> Also please see the log of /var/log/messages file for the errors when the
> >> user ldapusr/ jmaan tried logging onto the LDAP server machine, through
> >> the
> >> GUI of Linux fedora os.
> >>
> >>
> >> Dec 12 14:30:41 authdns gdm[4091]: Couldn't authenticate user
> >> Dec 12 14:30:50 authdns gdm[4091]: pam_ldap: error trying to bind as user
> >> "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid
> >> credentials)
> > sounds like password problems
> >
> > try
> >
> > ldapseach -D "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in"
> > -x
> >
> > once that is working then move on to the pam problem
> >
> >
> > [snip]
> >
> > might also want to try login in via a console as well
> >>
> >>
> >> Please kindly let me where and why my authentication is failing ???
> >>
> >> With Warm Cheering Regards,
> >> Jyotishmaan http://www.nabble.com/file/p14292650/ldap.conf ldap.conf
> >> --
> >> View this message in context:
> >> http://www.nabble.com/Authentication-Failure-In-pam_ldap---tp14292650p14292650.html> >> Sent from the PAM LDAP mailing list archive at Nabble.com.
> >>
> >>
> >
> >
> >
> Quoted from:
> http://www.nabble.com/Authentication-Failure-In-pam_ldap---tp14292650p14327472.html>
>
|
|
Re: Authentication Failure In pam_ldap ?
Jyotishmaan skrev, on 15-12-2007 06:56:
> i have tried using -D and without using -x, as shown below, however the
> output of these commands are not successful.
> They are shown as below:-
>
> [root@authdns ~]# ldapsearch -D
> 'uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in'
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
You are really *not* using '-x' in your command string, otherwise you
wouldn't get the above. You really *do* need to read the man page for
ldapsearch and the admin guide.
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
|
|
Re: Authentication Failure In pam_ldap ?
Hi Tony,
Please see below the output of the command ldapsearch with -x option.
However this is not using sasl to bind to the ldap server.
Now please guide me what should i do next??
I have sent you a few mails in details and enclosing all the files!!
Thanks,
Jyotishmaan
[root@authdns /]# ldapsearch -x 'uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[root@authdns /]#
Jyotishmaan wrote:
Alex,
My slapd.conf file is shown as below:
[root@authdns openldap]# egrep -v '^(^$|#)' /etc/ldap.conf
base dc=nits,dc=ac,dc=in
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
uri ldap://127.0.0.1/
ssl no
pam_password md5
[root@authdns openldap]# egrep -v '^(^$|#)' /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/nit.schema
access to * by * read
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=nits,dc=ac,dc=in"
rootdn "cn=Manager,dc=nits,dc=ac,dc=in"
rootpw {SSHA}Y3RagOP7u3FsNbHCnPVLwsxUepwIgezo
directory /var/lib/ldap
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
access to attrs=userPassword
by * auth
by self write
access to *
by * read
lastmod on
access to * by users read
[root@authdns openldap]#
Please let me know if i have to include any modules like as shown below:-
# Load dynamic backend modules:
# modulepath /usr/lib/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
Thanks,
Jyotishmaan
|
|
Re: Authentication Failure In pam_ldap ?
Jyotishmaan skrev, on 15-12-2007 10:32:
> Please see below the output of the command ldapsearch with -x option.
>
> However this is not using sasl to bind to the ldap server.
>
> Now please guide me what should i do next??
tail -f the log at -d 256 (Stats) and see what the output is.
> I have sent you a few mails in details and enclosing all the files!!
All I can say is what I posted in another thread: Read the man page for
ldapsearch and start again from scratch using the Admin guide quick
start section.
Questions pertaining to OpenLDAP should be asked on the OL list. Get the
OL stuff working first, then come back to this list with pam questions,
to the nssldap list with nss questions. Do one thing at a time.
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
|
|
Re: Authentication Failure In pam_ldap ?
Jyotishmaan Ray skrev, on 15-12-2007 17:07:
> i have read many times theadmi guide of opendlap for ldapsearch command
> etc ?
Basically, you have to do what the Admin guide instructs you to do, and
not what you think it should be telling you.
PLEASE! All follow-ups to the OL ML, let those people suffer. I shall
not be partaking. nor shall I answer any further post to this list or to
me privately.
> please tell me what i do need to make to change in the /etc/ldap.conf
> file so that ssh and console log on can be made successful ?
This has nothing to do with
> also the /var/log/messages file is not taking any messages in the file
> despitte trying to log on to the server machine through the console log
> on ?? any issues??
>
> plz let me know
I did.
Maybe you should contact someone somewhere about some other job.
--Tonni
PS: You might find it worthwhile investing 0 rupees in a spelling
checker. What you produce is excruciating reading.
--
Tony Earnshaw
Email: tonni at hetnet dot nl
|
|
Re: Authentication Failure In pam_ldap ?
Jyotishmaan Ray skrev, on 15-12-2007 17:07:
> i have read many times theadmi guide of opendlap for ldapsearch command
> etc ?
Basically, you have to do what the Admin guide instructs you to do, and
not what you think it should be telling you.
PLEASE! All follow-ups to the OL ML, let those people suffer. I shall
not be partaking. nor shall I answer any further post to this list or to
me privately.
> please tell me what i do need to make to change in the /etc/ldap.conf
> file so that ssh and console log on can be made successful ?
This has nothing to do with /etc/ldap.conf.
> also the /var/log/messages file is not taking any messages in the file
> despitte trying to log on to the server machine through the console log
> on ?? any issues??
>
> plz let me know
I did.
Maybe you should contact someone somewhere about some other job.
--Tonni
PS: You might find it worthwhile investing 0 rupees in a spelling
checker. What you produce is excruciating reading.
--
Tony Earnshaw
Email: tonni at hetnet dot nl
|
|
Re: Authentication Failure In pam_ldap ?
On Fri, Dec 14, 2007 at 09:56:11PM -0800, Jyotishmaan wrote:
>
>
> Hello Alex,
>
> i have tried using -D and without using -x, as shown below, however the
> output of these commands are not successful.
> They are shown as below:-
>
> [root@authdns ~]# ldapsearch -D
> 'uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in'
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
>
> Now the question is, should i enable sasl/ tls in my /etc/ldap.conf file ?
>
> Is it that, we need to have by default -
>
> LDAP authentication ??
>
> Thanks And Regards,
>
> Jyotishmaan
You need to use both -x and -D together, pam_ldap and libnss (normally) use
simplistic binding to the ldap service to authenticate.
Get your ldapsearch to work first (with the -x and -D) and then look at the
pam_ldap.... 1 step at a time.
I would also suggest that you really need to read the man pages for ldapsearch
especially the section on -x and -D and also check out the openldap web site
they have a faq-o-matic
A
>
>
>
> Alex Samad wrote:
> >
> > On Thu, Dec 13, 2007 at 11:23:17PM -0800, jyotishmaan@... wrote:
> >> Hello Alex,
> >>
> >> Please find below the reply of your mail.
> >>
> >> Alex Samad wrote:
> >> >
> >> > can the user login via a console does that work
> >> > On Wed, Dec 12, 2007 at 04:55:57AM -0800, Jyotishmaan wrote:
> >> >>
> >> >> Dear pam_ldap experts,
> >> >>
> >> > [snip]
> >> >
> >> >> [root@authdns etc]# ldapwhoami SASL/DIGEST-MD5 authentication started
> >> >> Please enter your password:
> >> >> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >> >> additional info: SASL(-13): user not found: no secret in
> >> database
> >> >> [root@authdns etc]#
> >> >
> >> > you are trying to bind with sasl is that setup , you might want to try
> >> > ldapwhoami with -D
> >>
> >>
> >>
> >> This command ldapwhoami -D does not give successful result.
> >>
> >> [root@authdns etc]# ldapwhoami
> >> SASL/DIGEST-MD5 authentication started
> >> Please enter your password:
> >> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >> additional info: SASL(-13): user not found: no secret in database
> >> [root@authdns etc]#
> >>
> >>
> >> Now when i tried using the command ldapsearch as show below, it didnt
> >> work fine. It is shown below:-
> >>
> >> [root@authdns bin]# ldapsearch -D 'uid=jmaan,stornt=non-teach,bn
> >> =compcen,dc=nits,dc=ac,dc=in'
> >> SASL/DIGEST-MD5 authentication started
> >> Please enter your password:
> >> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >> additional info: SASL(-13): user not found: no secret in database
> >> [root@authdns bin]# ldapsearch -W -D 'uid=jmaan,stornt=non-teach,bn
> >> =compcen,dc=nits,dc=ac,dc=in'
> >> Enter LDAP Password:
> >> SASL/DIGEST-MD5 authentication started
> >> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >> additional info: SASL(-13): user not found: no secret in database
> >> [root@authdns bin]#
> >>
> >>
> >> [root@authdns bin]# ldapsearch -x -b 'uid=jmaan,stornt=non-teach,bn
> >> =compcen,dc=nits,dc=ac,dc=in'
> >> # extended LDIF
> >> #
> >> # LDAPv3
> >> # base <uid=jmaan,stornt=non-teach,bn =compcen,dc=nits,dc=ac,dc=in> with
> >> scope subtree
> >> # filter: (objectclass=*)
> >> # requesting: ALL
> >> #
> >>
> >> # jmaan, non-teach, compcen, nits.ac.in
> >> dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> >> uid: jmaan
> >> cn: jmaan
> >> objectClass: account
> >> objectClass: posixAccount
> >> loginShell: /bin/bash
> >> uidNumber: 623
> >> gidNumber: 623
> >> homeDirectory: /home/jmaan
> >>
> >> # search result
> >> search: 2
> >> result: 0 Success
> >>
> >> # numResponses: 2
> >> # numEntries: 1
> >> [root@authdns bin]#
> >>
> >> However when ldapsearch -x -b options, it executes successfully. The same
> >> command doesnt work with -W And -D options.
> >>
> >> The options -x means without using sasl,
> >> however the option -b means, probably the base ??? (i will check it out)
> >> ?
> >> Please tell me why i am not able to log on to the server machine as
> >> "jmaan" or "ldapusr" ??
> >> Also why ssh authdns.nits.ac.in -l jmaan or ldapusr is not working fine
> >> ??
> >>
> >> Please give reasons why they are failing ??????
> > You need to try -x for simple auth (do you have sasl setup ?) and -D to
> > provide
> > the bind cn, all you have done above is prove you have annonymous access
> > and
> > that the dn uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> > exists
> >
> >>
> >> Thank you so much for fast responses !!!
> >>
> >>
> >> Jyotishmaan
> >>
> >>
> >>
> >>
> >> >>
> >> >> Also please see the log of /var/log/messages file for the errors when
> >> the
> >> >> user ldapusr/ jmaan tried logging onto the LDAP server machine,
> >> through
> >> >> the
> >> >> GUI of Linux fedora os.
> >> >>
> >> >>
> >> >> Dec 12 14:30:41 authdns gdm[4091]: Couldn't authenticate user
> >> >> Dec 12 14:30:50 authdns gdm[4091]: pam_ldap: error trying to bind as
> >> user
> >> >> "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid
> >> >> credentials)
> >> > sounds like password problems
> >> >
> >> > try
> >> >
> >> > ldapseach -D
> >> "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in"
> >> > -x
> >> >
> >> > once that is working then move on to the pam problem
> >> >
> >> >
> >> > [snip]
> >> >
> >> > might also want to try login in via a console as well
> >> >>
> >> >>
> >> >> Please kindly let me where and why my authentication is failing ???
> >> >>
> >> >> With Warm Cheering Regards,
> >> >> Jyotishmaan http://www.nabble.com/file/p14292650/ldap.conf ldap.conf
> >> >> --
> >> >> View this message in context:
> >> >>
> >> http://www.nabble.com/Authentication-Failure-In-pam_ldap---tp14292650p14292650.html> >> >> Sent from the PAM LDAP mailing list archive at Nabble.com.
> >> >>
> >> >>
> >> >
> >> >
> >> >
> >> Quoted from:
> >> http://www.nabble.com/Authentication-Failure-In-pam_ldap---tp14292650p14327472.html> >>
> >>
> >
> >
> >
>
> --
> View this message in context: http://www.nabble.com/Authentication-Failure-In-pam_ldap---tp14292650p14348254.html> Sent from the PAM LDAP mailing list archive at Nabble.com.
>
>
|
|
Re: Authentication Failure In pam_ldap ?
Hi
Please reply via the list, this is the last time I will reply to private
emails.
as I have said in previous emails you need to get -x and -D working together in
one statement.
You need -x, because I am presuming you are not using sasl authentication and
in my opinion not need for pam ldap binding.
you need -D to provide the dn you are trying to authenticate.
You are trying to simulate a bind request from pamldap to the ldap server, what
is going to be the dn for user jmaan, use this as the argument for -D
and the password for -x will be jmaan password
Get this working first
Alex
On Wed, Dec 19, 2007 at 06:02:02AM -0800, Jyotishmaan Ray wrote:
>
>
> Plz see below the ouput of ldapsearch using -x and -D options:-
>
> 1)
> [root@authdns openldap]# ldapsearch -D 'dc=nits,dc=ac,dc=in' '(uid=jmaan*)'
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
> [root@authdns openldap]#
>
> 2) When ldapsearch is used with -x -b the output is shown as below:-
>
> [root@authdns openldap]# ldapsearch -x -b 'dc=nits,dc=ac,dc=in' '(uid=jmaan*)'
> # extended LDIF
> #
> # LDAPv3
> # base <dc=nits,dc=ac,dc=in> with scope subtree
> # filter: (uid=jmaan*)
> # requesting: ALL
> #
>
> # jmaan, non-teach, compcen, nits.ac.in
> dn:
> uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> uid: jmaan
> cn: jmaan
> objectClass: account
> objectClass: posixAccount
> loginShell: /bin/bash
> uidNumber: 623
> gidNumber: 623
> homeDirectory: /home/jmaan
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> In the below output, i have tried using the "Manager"'s password as well as "uid"'s password to lon on to the server, but in both the cases, the authentication could not be successful:-
>
> [root@authdns ~]# ldapsearch -b 'dc=nits,dc=ac,dc=in' '(uid=jmaan*)'
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
> [root@authdns ~]#
>
> The output of ldapwhoami command is as shown below with -x and -D options:-
>
> [root@authdns
> openldap]# ldapwhoami -D "cn=Manager,dc=nits,dc=ac,dc=in " -W
> Enter LDAP Password:
> SASL/DIGEST-MD5 authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
> [root@authdns openldap]# ldapwhoami -x -D "cn=Manager,dc=nits,dc=ac,dc=in " -W
> Enter LDAP Password:
> dn:cn=Manager,dc=nits,dc=ac,dc=in
> Result: Success (0)
> [root@authdns openldap]#
>
> [root@authdns openldap]# ldapwhoami -x "cn=Manager,dc=nits,dc=ac,dc=in "
> anonymous
> Result: Success (0)
> [root@authdns openldap]#
>
> Alex, is it necessary to create a userid and a password in the sasldb using saslpasswd2 :-
> Though i created a saslpasswd2 for the user "jmaan" for performing the ldapsearch, without using -x, it is yet not successful.
>
> Please give me hints why it is as such unsuccessful and shown above, without std output from the console.
>
> Thanking you in anticipation,
>
> Jyotishmaan
>
>
>
>
>
>
>
>
> ____________________________________________________________________________________
> Looking for last minute shopping deals?
> Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
|
|
Re: Authentication Failure In pam_ldap ?
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Hello Alex,
Thank you for giving me tips on ldapsearch with -x and -D.
The output of a ldapsearch with -x and -D options is as shown below:-
[root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D cn=Manager,dc=nits,dc=ac,dc=in -W -b dc=nits,dc=ac,dc=in '(uid=jmaan)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=nits,dc=ac,dc=in> with scope subtree
# filter: (uid=jmaan)
# requesting: ALL
#
# jmaan, non-teach, compcen, nits.ac.in
dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
uid: jmaan
cn: jmaan
objectClass: account
objectClass: posixAccount
userPassword:: JDEkOVE1ZDRQdzUkWkl1QlJjQWhLZ0xPREtTR2FrNlhNMQ==
loginShell: /bin/bash
uidNumber: 623
gidNumber: 623
homeDirectory:
/home/jmaan
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@authdns ~]#
The output of ldapsearch when used with -x and -D options with dn for the user "jmaan" is as shown below when the passoword for jmaan was used:-
[root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D 'uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root@authdns ~]#
When the ldapsearch is used with -x and -D options and the password of the autenticating Manager was used then the ldapsearch is a successful one as shown below:-
[root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D ' cn=Manager,dc=nits,dc=ac,dc=in' -W '(uid=jmaan)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (uid=jmaan)
# requesting:
ALL
#
# jmaan, non-teach, compcen, nits.ac.in
dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
uid: jmaan
cn: jmaan
objectClass: account
objectClass: posixAccount
userPassword:: JDEkOVE1ZDRQdzUkWkl1QlJjQWhLZ0xPREtTR2FrNlhNMQ==
loginShell: /bin/bash
uidNumber: 623
gidNumber: 623
homeDirectory: /home/jmaan
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Now please give me insights in this!!!! In both of the cases for the user-"jmaan" everything matches with the imported file of the user "jmaan" except for the password (where the password was in md5 format, while importing). Is it because of this mismatch that i could not log through the console in the server machine using the user id-"jmaan" ?
Also are the reasons same for unsuccessful log on using ssh <hostname> -l <uid>
Please let me, Alex!! More to know from you,
as i cannot see any other ways!!!!
Thanking you,
Regards,
Jyotishmaan
With Thanks and Regards,
Jyotishmaan Ray Moderator Of Paradise Groups Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe@...
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
|
|
Re: Authentication Failure In pam_ldap ?
On Wed, Dec 19, 2007 at 10:59:17PM -0800, Jyotishmaan Ray wrote:
>
> Hello Alex,
>
> Thank you for giving me tips on ldapsearch with -x and -D.
>
> The output of a ldapsearch with -x and -D options is as shown below:-
>
> [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D cn=Manager,dc=nits,dc=ac,dc=in -W -b dc=nits,dc=ac,dc=in '(uid=jmaan)'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=nits,dc=ac,dc=in> with scope subtree
> # filter: (uid=jmaan)
> # requesting: ALL
> #
>
> # jmaan, non-teach, compcen, nits.ac.in
> dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> uid: jmaan
> cn: jmaan
> objectClass: account
> objectClass: posixAccount
> userPassword:: JDEkOVE1ZDRQdzUkWkl1QlJjQWhLZ0xPREtTR2FrNlhNMQ==
> loginShell: /bin/bash
> uidNumber: 623
> gidNumber: 623
> homeDirectory: /home/jmaan
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root@authdns ~]#
great now you know that cn=Manager,dc=nits,dc=ac,dc=in works
>
> The output of ldapsearch when used with -x and -D options with dn for the user "jmaan" is as shown below when the passoword for jmaan was used:-
>
>
> [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D 'uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in' -W
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> [root@authdns ~]#
this is the test that should have been done from the begging you are simulating
what pamldap does (with out sasl auth), I would make sure you -h and -p
corrospond with what you have in you pamldap.conf file
>
> When the ldapsearch is used with -x and -D options and the password of the autenticating Manager was used then the ldapsearch is a successful one as shown below:-
>
> [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D ' cn=Manager,dc=nits,dc=ac,dc=in' -W '(uid=jmaan)'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope subtree
> # filter: (uid=jmaan)
> # requesting: ALL
> #
>
> # jmaan, non-teach, compcen, nits.ac.in
> dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> uid: jmaan
> cn: jmaan
> objectClass: account
> objectClass: posixAccount
> userPassword:: JDEkOVE1ZDRQdzUkWkl1QlJjQWhLZ0xPREtTR2FrNlhNMQ==
> loginShell: /bin/bash
> uidNumber: 623
> gidNumber: 623
> homeDirectory: /home/jmaan
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> Now please give me insights in this!!!! In both of the cases for the user-"jmaan" everything matches with the imported file of the user "jmaan" except for the password (where the password was in md5 format, while importing). Is it because of this mismatch that i could not log through the console in the server machine using the user id-"jmaan" ?
> Also are the reasons same for unsuccessful log on using ssh <hostname> -l <uid>
please forget about ssh until you get the ldap bind working.
and yes this is the reason it is not working. try resetting the password for
that user. Once you have the ldap bind working then test login in form the
console and then ssh.
use the admin account to change the password for jmaan
|
|
Re: Authentication Failure In pam_ldap ?
Some parts of this message have been removed.
Learn more about Nabble's security policy.
With Thanks and Regards,
Jyotishmaan Ray Moderator Of Paradise Groups Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe@...
Alex, The ldapsearch works all fine. But as you said to reset the password for the test user -"jmaan" in my ldapserver machine using the ldappasswd command, can you plz give me in details as it is not executing successfully. May be somewhere, i have missed a option:- ldappasswd -h localhost -p 389 -x -D uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in -W Enter LDAP Password: ldap_bind: Invalid credentials (49) [root@authdns ~]# ldappasswd -h authdns.nits.ac.in -p 389 -x -D uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in -W Enter LDAP Password: ldap_bind: Invalid
credentials (49) Is this the correct way of re-setting the password ?
(Alex), Plz Do Give Insights On This !!
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
|
|
Re: Authentication Failure In pam_ldap ?
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Hi All,ldapsearch
-h <servername> -p <PortNumber> -x -D
cn=Manager,dc=nits,dc=ac,dc=in -W -b dc=nits,dc=ac,dc=in '(uid=jmaan*)'
works out fine as said before, but now the /var/log/messages is showing the following errors, when i had been trying continuously to login from the console in the ldap server machine using the dn of the users-"jmaan" and "ldapusr":-
Please give directions/hints so that, i can somehow resolve the issues of authentication with pam_ldap ?
It seems it could not bind with the ldsp server ? But then why?I had been trying to reset the ldappasswd for these users (jmaan and ldapusr) but again it gives me "invalid credentials" as shown below :[root@authdns log]# ldappasswd -h localhost -p 389 -x -D
uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in -WEnter LDAP Password: ldap_bind: Invalid credentials (49)The messages from the /var/log/messages are shown below:-Dec 22 12:59:46 authdns gdm[2361]: pam_ldap: error trying to bind as user "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid credentials)Dec 22 12:59:49 authdns gdm[2361]: Couldn't authenticate userDec 22 13:00:39 authdns gdm[2361]: pam_ldap: error trying to bind as user
"uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid credentials)Dec 22 13:00:41 authdns gdm[2361]: Couldn't authenticate userDec 22 13:01:28 authdns gdm[2361]: pam_ldap: error trying to bind as user "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid credentials)Dec 22 13:01:32 authdns gdm[2361]: Couldn't authenticate userDec 22 13:03:04 authdns gdm[2361]: pam_ldap: error trying to bind as user "uid=ldapusr,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid credentials)Dec 22 13:03:07
authdns gdm[2361]: Couldn't authenticate userMy ldap.conf file of the ldap server machine is show below:[root@authdns log]# egrep -v '^(^$|#)' /etc/ldap.confbase dc=nits,dc=ac,dc=intimelimit 120bind_timelimit 120idle_timelimit 3600nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemonuri ldap://127.0.0.1/ssl notls_cacertdir /etc/openldap/cacertspam_password md5The slapd.conf file of my server machine is as shown below:[root@authdns log]# egrep -v '^(^$|#)' /etc/openldap/slapd.confinclude /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/nit.schemaaccess to * by * read allow bind_v2pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.argsdatabase bdbsuffix "dc=nits,dc=ac,dc=in"rootdn "cn=Manager,dc=nits,dc=ac,dc=in"rootpw {SSHA}Y3RagOP7u3FsNbHCnPVLwsxUepwIgezodirectory /var/lib/ldapindex objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,sub access to
attrs=userPassword by * auth by self writeaccess to * by * readaccess to * by dn="cn=Manager,dc=nits,dc=ac,dc=in" write by
dn="uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" read by dn="uid=ldapusr,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" read by dn="uid=usr1,dc=nits,dc=ac,dc=in" read by users read by self write by * read lastmod onaccess to * by users
readauthz-regexp uid=([^,]*),dc=[^,]*,cn=auth uid=$1,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=inloglevel -1Thank you for taking efforts to read till this line. Now please show me your expertise on this, and let me resolve this authentication ?JyotishmaanModerator Of Paradise Groups
Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe@...
----- Original Message ---- From: Alex Samad < alex@...> To:
pamldap@...Sent: Friday, December 21, 2007 3:42:30 AM Subject: Re: [pamldap] Authentication Failure In pam_ldap ?
On Wed, Dec 19, 2007 at 10:59:17PM -0800, Jyotishmaan Ray wrote: > > Hello Alex, > > Thank you for giving me tips on ldapsearch with -x and -D. > > The output of a ldapsearch with -x and -D options is as shown below:- > > [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D
cn=Manager,dc=nits,dc=ac,dc=in -W -b dc=nits,dc=ac,dc=in '(uid=jmaan)' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=nits,dc=ac,dc=in> with scope subtree > # filter: (uid=jmaan) > # requesting: ALL > # > > # jmaan, non-teach, compcen, nits.ac.in> dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in > uid: jmaan > cn: jmaan > objectClass: account > objectClass: posixAccount > userPassword:: JDEkOVE1ZDRQdzUkWkl1QlJjQWhLZ0xPREtTR2FrNlhNMQ== > loginShell: /bin/bash > uidNumber: 623 > gidNumber: 623 > homeDirectory: /home/jmaan > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root@authdns ~]# great now you know that cn=Manager,dc=nits,dc=ac,dc=in
works > > The output of ldapsearch when used with -x and -D options with dn for
the user "jmaan" is as shown below when the passoword for jmaan was
used:- > > > [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D
'uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in' -W > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > [root@authdns ~]# this is the test that should have been done from the begging you are
simulating what pamldap does (with out sasl auth), I would make sure you -h and -p
corrospond with what you have in you pamldap.conf file > > When the ldapsearch is used with -x and -D options and the password
of the autenticating Manager was used then the ldapsearch is a
successful one as shown below:- > > [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D '
cn=Manager,dc=nits,dc=ac,dc=in' -W '(uid=jmaan)' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <> with scope subtree > # filter: (uid=jmaan) > # requesting: ALL > # > > # jmaan, non-teach, compcen, nits.ac.in> dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in > uid: jmaan > cn: jmaan > objectClass: account > objectClass: posixAccount > userPassword:: JDEkOVE1ZDRQdzUkWkl1QlJjQWhLZ0xPREtTR2FrNlhNMQ== > loginShell: /bin/bash > uidNumber: 623 > gidNumber: 623 > homeDirectory: /home/jmaan > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > Now please give me insights in this!!!! In both of the cases for the
user-"jmaan" everything matches with the imported file of the user
"jmaan" except for the password (where the password was in md5 format,
while importing). Is it because of this mismatch that i could not log
through the console in the server machine using the user id-"jmaan" ? > Also are the reasons same for unsuccessful log on using ssh
<hostname> -l <uid> please forget about ssh until you get the ldap bind working. and yes this is the reason it is not working. try resetting the
password for that user. Once you have the ldap bind working then test login in form
the console and then ssh. use the admin account to change the password for jmaan
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
|
|
Re: Authentication Failure In pam_ldap ?
On Fri, Dec 21, 2007 at 11:56:03PM -0800, Jyotishmaan Ray wrote:
> Hi All,
>
> ldapsearch
>
> -h <servername> -p <PortNumber> -x -D
>
> cn=Manager,dc=nits,dc=ac,dc=in -W -b dc=nits,dc=ac,dc=in '(uid=jmaan*)'
>
> works out fine as said before, but now the /var/log/messages is showing the following errors, when i had been trying continuously to login from the console in the ldap server machine using the dn of the users-"jmaan" and "ldapusr":-
>
> Please give directions/hints so that, i can somehow resolve the issues of authentication with pam_ldap ?
>
> It seems it could not bind with the ldsp server ? But then why?
let fix one thing at a time
>
> I had been trying to reset the ldappasswd for these users (jmaan and ldapusr) but again it gives me "invalid credentials" as shown below :
>
> [root@authdns log]# ldappasswd -h localhost -p 389 -x -D uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in -WEnter LDAP Password:
> ldap_bind: Invalid credentials (49)
If you look at the command, you are trying to change the password for dn
uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in, part of the process
is providing the original users password, if you don't know it that isn't going
to work.
As with your other problems a quick scan of the man pages does provide the
answer
"ldappasswd sets the password of associated with the user [or an optionally
specified user]."
you need to bind as the manager uid and change the password of jmaan
ldappasswd -h localhost -p 389 -x -D cn=Manager,dc=nits,dc=ac,dc=in -W
uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
once this works, then try the ldapsearch with the -x -D
then try the local login
>
> The messages from the /var/log/messages are shown below:-
>
> Dec 22 12:59:46 authdns gdm[2361]: pam_ldap: error trying to bind as user "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid credentials)
> Dec 22 12:59:49 authdns gdm[2361]: Couldn't authenticate user
> Dec 22 13:00:39 authdns gdm[2361]: pam_ldap: error trying to bind as user "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid credentials)
> Dec 22 13:00:41 authdns gdm[2361]: Couldn't authenticate user
> Dec 22 13:01:28 authdns gdm[2361]: pam_ldap: error trying to bind as user "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid credentials)
> Dec 22 13:01:32 authdns gdm[2361]: Couldn't authenticate user
> Dec 22 13:03:04 authdns gdm[2361]: pam_ldap: error trying to bind as user "uid=ldapusr,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" (Invalid credentials)
> Dec 22 13:03:07 authdns gdm[2361]: Couldn't authenticate user
>
these is the same issue
>
> My ldap.conf file of the ldap server machine is show below:
>
> [root@authdns log]# egrep -v '^(^$|#)' /etc/ldap.conf
>
> base dc=nits,dc=ac,dc=in
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
> uri ldap://127.0.0.1/
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
>
>
>
> The slapd.conf file of my server machine is as shown below:
>
> [root@authdns log]# egrep -v '^(^$|#)' /etc/openldap/slapd.conf
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/nit.schema
> access to * by * read
> allow bind_v2
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
> database bdb
> suffix "dc=nits,dc=ac,dc=in"
> rootdn "cn=Manager,dc=nits,dc=ac,dc=in"
> rootpw {SSHA}Y3RagOP7u3FsNbHCnPVLwsxUepwIgezo
you should have change the above password before emailing to any one
> directory /var/lib/ldap
> index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
>
>
> access to attrs=userPassword
> by * auth
> by self write
> access to *
> by * read
> access to *
> by dn="cn=Manager,dc=nits,dc=ac,dc=in" write
> by dn="uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" read
> by dn="uid=ldapusr,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" read
> by dn="uid=usr1,dc=nits,dc=ac,dc=in" read
> by users read
> by self write
> by * read
>
> lastmod on
> access to * by users read
> authz-regexp
> uid=([^,]*),dc=[^,]*,cn=auth
> uid=$1,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> loglevel -1
>
> Thank you for taking efforts to read till this line. Now please show me your expertise on this, and let me resolve this authentication ?
>
> Jyotishmaan
> Moderator Of Paradise Groups
> http://yahoogroups.com/group/Spirituality-Paradise>
> Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
> Please Join Immediately By Sending A Blank Mail @
> Spirituality-Paradise-subscribe@...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ----- Original Message ----
> From: Alex Samad < alex@...>
> To: pamldap@...
> Sent: Friday, December 21, 2007 3:42:30 AM
> Subject: Re: [pamldap] Authentication Failure In pam_ldap ?
>
>
> On Wed, Dec 19, 2007 at 10:59:17PM -0800, Jyotishmaan Ray wrote:
> >
> > Hello Alex,
> >
> > Thank you for giving me tips on ldapsearch with -x and -D.
> >
> > The output of a ldapsearch with -x and -D options is as shown below:-
> >
> > [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D
> cn=Manager,dc=nits,dc=ac,dc=in -W -b dc=nits,dc=ac,dc=in '(uid=jmaan)'
> > Enter LDAP Password:
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <dc=nits,dc=ac,dc=in> with scope subtree
> > # filter: (uid=jmaan)
> > # requesting: ALL
> > #
> >
> > # jmaan, non-teach, compcen, nits.ac.in
> > dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> > uid: jmaan
> > cn: jmaan
> > objectClass: account
> > objectClass: posixAccount
> > userPassword:: JDEkOVE1ZDRQdzUkWkl1QlJjQWhLZ0xPREtTR2FrNlhNMQ==
> > loginShell: /bin/bash
> > uidNumber: 623
> > gidNumber: 623
> > homeDirectory: /home/jmaan
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> > [root@authdns ~]#
> great now you know that cn=Manager,dc=nits,dc=ac,dc=in works
>
> >
> > The output of ldapsearch when used with -x and -D options with dn for
> the user "jmaan" is as shown below when the passoword for jmaan was
> used:-
> >
> >
> > [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D
> 'uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in' -W
> > Enter LDAP Password:
> > ldap_bind: Invalid credentials (49)
> > [root@authdns ~]#
>
> this is the test that should have been done from the begging you are
> simulating
> what pamldap does (with out sasl auth), I would make sure you -h and -p
>
> corrospond with what you have in you pamldap.conf file
>
> >
> > When the ldapsearch is used with -x and -D options and the password
> of the autenticating Manager was used then the ldapsearch is a
> successful one as shown below:-
> >
> > [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D '
> cn=Manager,dc=nits,dc=ac,dc=in' -W '(uid=jmaan)'
> > Enter LDAP Password:
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <> with scope subtree
> > # filter: (uid=jmaan)
> > # requesting: ALL
> > #
> >
> > # jmaan, non-teach, compcen, nits.ac.in
> > dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> > uid: jmaan
> > cn: jmaan
> > objectClass: account
> > objectClass: posixAccount
> > userPassword:: JDEkOVE1ZDRQdzUkWkl1QlJjQWhLZ0xPREtTR2FrNlhNMQ==
> > loginShell: /bin/bash
> > uidNumber: 623
> > gidNumber: 623
> > homeDirectory: /home/jmaan
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> > Now please give me insights in this!!!! In both of the cases for the
> user-"jmaan" everything matches with the imported file of the user
> "jmaan" except for the password (where the password was in md5 format,
> while importing). Is it because of this mismatch that i could not log
> through the console in the server machine using the user id-"jmaan" ?
> > Also are the reasons same for unsuccessful log on using ssh
> <hostname> -l <uid>
> please forget about ssh until you get the ldap bind working.
> and yes this is the reason it is not working. try resetting the
> password for
> that user. Once you have the ldap bind working then test login in form
> the
> console and then ssh.
>
> use the admin account to change the password for jmaan
> >
> > Please let me, Alex!! More to know from you, as i cannot see any
> other ways!!!!
> >
> >
> >
> > Thanking you,
> >
> > Regards,
> >
> > Jyotishmaan
> >
> >
> >
> >
> > With Thanks and Regards,
> > Jyotishmaan Ray
> > Moderator Of Paradise Groups
> > http://yahoogroups.com/group/Spirituality-Paradise> >
> > Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See
> What All You Had Been Missing !!!!
> > Please Join Immediately By Sending A Blank Mail @
> > Spirituality-Paradise-subscribe@...
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> ____________________________________________________________________________________
> > Looking for last minute shopping deals?
> > Find them fast with Yahoo! Search.
> http://tools.search.yahoo.com/newsearch/category.php?category=shopping>
>
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
|
|
Re: Authentication Failure In pam_ldap ?
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Hello (Alex),I could change the password successfully as shown below but still could not log in through the console. What should i do next ?[root@authdns ~]# ldappasswd -h localhost -p 389 -x -D cn=Manager,dc=nits,dc=ac,dc=in -W uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=inEnter LDAP Password: New password: fLUnF/BTResult: Success (0)ssh is excecuting well, with the changed ldappasswd which was earlier not working with the migrated userpassword.[root@authdns ~]# ssh localhost -l
jmaanjmaan@localhost's password: Last login: Wed Nov 28 19:29:39 2007 from authdns.nits.ac.inCould not chdir to home directory /home/jmaan: No such file or directory-bash-3.2$ pwd[root@authdns ~]# ldapsearch -h localhost -p 389 -x -D cn=Manager,dc=nits,dc=ac,dc=in -W '(uid=jmaan)'Enter LDAP
Password: # extended LDIF## LDAPv3# base <> with scope subtree# filter: (uid=jmaan)# requesting: ALL## jmaan, non-teach, compcen, nits.ac.indn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=inuid: jmaancn: jmaanobjectClass: accountobjectClass: posixAccountloginShell: /bin/bashuidNumber: 623gidNumber: 623homeDirectory: /home/jmaanuserPassword:: e1NTSEF9Zm5EaTIzeXZ2VjkvYitmbHp4N1RUUDZHNDhjcndvZXk=# search resultsearch: 2result: 0 Success# numResponses: 2# numEntries: 1[root@authdns ~]# [root@authdns
~]# ldapsearch -h localhost -p 389 -x -D cn=Manager,dc=nits,dc=ac,dc=in -W uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=inEnter LDAP Password: # extended LDIF## LDAPv3# base <> with scope subtree# filter: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in# requesting: ALL## search resultsearch: 2result: 0 Success# numResponses: 1I had been trying to log in with the changed password through the console but i could not log in. It dispalyed three dialog boxes, one after another, then finally the log in screen was displayed.The first pop-up dialog box displayed the following messages in it:-" Your home directory is listed as :'home/jmaan' but it does not
appear to exist. Do you want to log in with the / (root) directory...... " with yes and no buttons.After clicking on the Yes button, the second pop-up window displayed the following messages:-" User's $HOME/.dmrc file is being ignored. This prevents the default session and language from being saved. File shoould be owned by user and have 644 permissions...."After clicking on the OK button, the third box has shown the following lines :- " Your session only lasted less than 10 seconds. If you have not logged out yourself, this could mean some installtion problem or that you may be out of disk space. Try logging in with one of the failsafe sessions to see if you can fix this
problem." Because of these dialog bixes, i have made explicitly one direectory under /home for the user jmaan as /home/jmaan with 644 permissions. When i tried now to log in with the user jmaan, now the first pop-up dialog box was skipped and popped only the reamining two dialog boxes after which the GUI based console log in screen was shown.
Regards,
Jyotishmaan
Never miss a thing. Make Yahoo your homepage.
|
signature.asc (196 bytes) 