|
»
»
« Return to Thread: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
by lavermil
::
Rate this Message:
patrick,
Tried that no love. I don't have a classObject of posixAccount. Am I
missing something?
On Fri, Aug 29, 2008 at 7:03 AM, Patrick Shinpaugh <shpatric@...> wrote:
> I use openldap on centos 5.1 without any problems. My /etc/pam.d/system-auth
> looks the same as yours. Try modifying your /etc/ldap.conf - see nss_base_*
> and pam_* below
>
>
> uri ldap://localhost:389
> # uri ldap://ldap.some.domain.org:389
> base dc=some,dc=domain,dc=org
>
> nss_base_passwd ou=People,dc=some,dc=domain,dc=org
> nss_base_shadow ou=People,dc=some,dc=domain,dc=org
> nss_base_group ou=Group,dc=some,dc=domain,dc=org
> nss_base_hosts ou=Hosts,dc=some,dc=domain,dc=org
>
> rootbinddn cn=rootbinder,dc=some,dc=domain,dc=org # if used need to add
> /etc/ldap.secret
> binddn cn=binderman,dc=some,dc=domain,dc=org
> bindpw sillypassword
>
> pam_login_attribute uid
> pam_filter objectClass=posixAccount
> pam_member_attribute memberUid
>
> pam_password exop # use exop if ldap is also used with non-linux clients
> so password is recognizable
>
> ssl no
>
> timelimit 10
> bind_timelimit 10
> idle_timelimit 3600
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>
>
>
>
> Lance Vermilion wrote:
>>
>> Weston,
>>
>> Here is what I have for nsswitch.conf, ldap.conf, etc.
>>
>> I do not know how to enable nss_ldap via authconfig....maybe that is
>> causing the issue?
>>
>> #
>> # /etc/ldap.conf
>> #
>> base dc=disamcep,dc=com
>> uri ldap://10.0.6.150/
>> binddn uid=user.0,ou=People,dc=disamcep,dc=com
>> bindpw test
>> timelimit 120
>> bind_timelimit 30
>> bind_policy soft
>> idle_timelimit 3600
>> pam_password clear
>> nss_initgroups_ignoreusers
>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>> ssl off
>> tls_cacertdir /etc/openldap/cacerts
>>
>> #
>> # /etc/openldap/ldap.conf
>> #
>> URI ldap://10.0.6.150/
>> BASE dc=disamcep,dc=com
>> TLS_CACERTDIR /etc/openldap/cacerts
>>
>> #
>> # /etc/nsswitch.conf
>> #
>> passwd: files ldap
>> shadow: files ldap
>> group: files ldap
>> hosts: files dns
>> bootparams: nisplus [NOTFOUND=return] files
>> ethers: files
>> netmasks: files
>> networks: files
>> protocols: files
>> rpc: files
>> services: files
>> netgroup: files
>> publickey: nisplus
>> automount: files
>> aliases: files nisplus
>>
>> #
>> # authconfig --test
>> #
>> caching is disabled
>> nss_files is always enabled
>> nss_compat is disabled
>> nss_db is disabled
>> nss_hesiod is disabled
>> hesiod LHS = ""
>> hesiod RHS = ""
>> nss_ldap is disabled
>> LDAP+TLS is disabled
>> LDAP server = "ldap://10.0.6.150/"
>> LDAP base DN = "dc=disamcep,dc=com"
>> nss_nis is disabled
>> NIS server = ""
>> NIS domain = ""
>> nss_nisplus is disabled
>> nss_winbind is disabled
>> SMB workgroup = "MYGROUP"
>> SMB servers = ""
>> SMB security = "user"
>> SMB realm = ""
>> Winbind template shell = "/bin/false"
>> SMB idmap uid = "16777216-33554431"
>> SMB idmap gid = "16777216-33554431"
>> nss_wins is disabled
>> pam_unix is always enabled
>> shadow passwords are enabled
>> md5 passwords are enabled
>> pam_krb5 is disabled
>> krb5 realm = "EXAMPLE.COM"
>> krb5 realm via dns is disabled
>> krb5 kdc = "kerberos.example.com:88"
>> krb5 kdc via dns is disabled
>> krb5 admin server = "kerberos.example.com:749"
>> pam_ldap is enabled
>>
>> LDAP+TLS is disabled
>> LDAP server = "ldap://10.0.6.150/"
>> LDAP base DN = "dc=disamcep,dc=com"
>> pam_pkcs11 is disabled
>>
>> use only smartcard for login is disabled
>> smartcard module = "coolkey"
>> smartcard removal action = "Ignore"
>> pam_smb_auth is disabled
>> SMB workgroup = "MYGROUP"
>> SMB servers = ""
>> pam_winbind is disabled
>> SMB workgroup = "MYGROUP"
>> SMB servers = ""
>> SMB security = "user"
>> SMB realm = ""
>> pam_cracklib is enabled (try_first_pass retry=3)
>> pam_passwdqc is disabled ()
>> Always authorize local users is enabled ()
>> Authenticate system accounts against network services is disabled
>>
>>
>>
>> On Thu, Aug 28, 2008 at 11:59 AM, Weston Rogers <wrogers@...> wrote:
>>
>>>
>>> This config works fine on 2000+ hosts. You have all your other bases
>>> covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
>>>
>>> Wes
>>>
>>> On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
>>>
>>>>
>>>> Weston,
>>>>
>>>> Why doesn't auth have pam_ldap included? The only place I see your
>>>> pam_ldap is under password.
>>>>
>>>> I do not see a single ldap request with this configuration. I have
>>>> tried with and without the $ISA. Any other thoughts?
>>>>
>>>> -lance
>>>>
>>>> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...>
>>>> wrote:
>>>>
>>>>>
>>>>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>>>>> /etc/pam.d/sshd) :
>>>>>
>>>>> auth required /lib/security/$ISA/pam_env.so
>>>>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth
>>>>> nullok
>>>>> auth required /lib/security/$ISA/pam_deny.so
>>>>>
>>>>> account required /lib/security/$ISA/pam_unix.so
>>>>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
>>>>> 100 quiet
>>>>> account required /lib/security/$ISA/pam_permit.so
>>>>>
>>>>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>>>>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>>>>> use_authtok md5 shadow
>>>>> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>>>>> password required /lib/security/$ISA/pam_deny.so
>>>>>
>>>>> session required /lib/security/$ISA/pam_limits.so
>>>>> session required /lib/security/$ISA/pam_unix.so
>>>>>
>>>>>
>>>>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> I am having a bit of an issue. I want to use pam_ldap for
>>>>>> authentication and do not want to have a local user account that is
>>>>>> the for each user that I want to authenticate via ldap. So for example
>>>>>> if I have linux client A receive a login request from a user with the
>>>>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>>>>> the password which the user provided to bind to the ldap server. For
>>>>>> some reason I have something out of order and if the user does not
>>>>>> have a local account it is forwarding INCORRECT as the password to the
>>>>>> ldap server. If I create the username "user.2" on the local system it
>>>>>> will then forward the password provided by the user and the I am off
>>>>>> and running. Any thoughts?
>>>>>>
>>>>>> #
>>>>>> # TCPDUMP showing that the password for AUTH is incorrect
>>>>>> # user.2 does not exist locally
>>>>>> #
>>>>>> 00000074 30 40 02 01 03 60 3b 02 01 03 04 27 75 69 64 3d
>>>>>> 0@...`;. ...'uid=
>>>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>>>> user.2,o u=People
>>>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>>>>>> ,dc=disa mcep,dc=
>>>>>> 000000A4 63 6f 6d 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45
>>>>>> com..... .INCORRE
>>>>>> 000000B4 43 54
>>>>>> CT
>>>>>>
>>>>>>
>>>>>> #
>>>>>> # TCPDUMP showing that the password for AUTH is correct
>>>>>> # after /usr/sbin/adduser user.2
>>>>>> #
>>>>>> 00000074 30 37 02 01 03 60 32 02 01 03 04 27 75 69 64 3d
>>>>>> 07...`2. ...'uid=
>>>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>>>> user.2,o u=People
>>>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>>>>>> ,dc=disa mcep,dc=
>>>>>> 000000A4 63 6f 6d 80 04 74 65 73 74
>>>>>> com..test
>>>>>>
>>>>>>
>>>>>> OS: CentOS 5.1
>>>>>>
>>>>>> #
>>>>>> # /etc/pam.d/sshd
>>>>>> #
>>>>>> #%PAM-1.0
>>>>>> auth required /lib/security/pam_nologin.so
>>>>>> auth sufficient /lib/security/pam_ldap.so
>>>>>> auth required /lib/security/pam_unix_auth.so
>>>>>> try_first_pass
>>>>>>
>>>>>> account sufficient /lib/security/pam_ldap.so
>>>>>> account required /lib/security/pam_unix_acct.so
>>>>>>
>>>>>> password required /lib/security/pam_cracklib.so
>>>>>> password sufficient /lib/security/pam_ldap.so
>>>>>> password required /lib/security/pam_pwdb.so
>>>>>> use_first_pass
>>>>>>
>>>>>> session required /lib/security/pam_unix_session.so
>>>>>>
>>>>>> #
>>>>>> # /etc/pam.d/system-auth
>>>>>> #
>>>>>> #%PAM-1.0
>>>>>> # This file is auto-generated.
>>>>>> # User changes will be destroyed the next time authconfig is run.
>>>>>> auth required pam_env.so
>>>>>> auth sufficient pam_unix.so nullok try_first_pass
>>>>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>>>>> auth sufficient pam_ldap.so use_first_pass
>>>>>> auth required pam_deny.so
>>>>>>
>>>>>> account required pam_unix.so broken_shadow
>>>>>> account sufficient pam_localuser.so
>>>>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>>>> account required pam_permit.so
>>>>>>
>>>>>> password requisite pam_cracklib.so try_first_pass retry=3
>>>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>>>>> use_authtok
>>>>>> password sufficient pam_ldap.so use_authtok
>>>>>> password required pam_deny.so
>>>>>>
>>>>>> session optional pam_keyinit.so revoke
>>>>>> session required pam_limits.so
>>>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>>>> crond quiet use_uid
>>>>>> session required pam_unix.so
>>>>>> session optional pam_ldap.so
>>>>>>
>>>>>>
>>
>>
>
> --
> Patrick Shinpaugh
> Virginia Tech
> UVAG System Administrator/Programmer
> 540-231-2054
>
>
Tried that no love. I don't have a classObject of posixAccount. Am I
missing something?
On Fri, Aug 29, 2008 at 7:03 AM, Patrick Shinpaugh <shpatric@...> wrote:
> I use openldap on centos 5.1 without any problems. My /etc/pam.d/system-auth
> looks the same as yours. Try modifying your /etc/ldap.conf - see nss_base_*
> and pam_* below
>
>
> uri ldap://localhost:389
> # uri ldap://ldap.some.domain.org:389
> base dc=some,dc=domain,dc=org
>
> nss_base_passwd ou=People,dc=some,dc=domain,dc=org
> nss_base_shadow ou=People,dc=some,dc=domain,dc=org
> nss_base_group ou=Group,dc=some,dc=domain,dc=org
> nss_base_hosts ou=Hosts,dc=some,dc=domain,dc=org
>
> rootbinddn cn=rootbinder,dc=some,dc=domain,dc=org # if used need to add
> /etc/ldap.secret
> binddn cn=binderman,dc=some,dc=domain,dc=org
> bindpw sillypassword
>
> pam_login_attribute uid
> pam_filter objectClass=posixAccount
> pam_member_attribute memberUid
>
> pam_password exop # use exop if ldap is also used with non-linux clients
> so password is recognizable
>
> ssl no
>
> timelimit 10
> bind_timelimit 10
> idle_timelimit 3600
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>
>
>
>
> Lance Vermilion wrote:
>>
>> Weston,
>>
>> Here is what I have for nsswitch.conf, ldap.conf, etc.
>>
>> I do not know how to enable nss_ldap via authconfig....maybe that is
>> causing the issue?
>>
>> #
>> # /etc/ldap.conf
>> #
>> base dc=disamcep,dc=com
>> uri ldap://10.0.6.150/
>> binddn uid=user.0,ou=People,dc=disamcep,dc=com
>> bindpw test
>> timelimit 120
>> bind_timelimit 30
>> bind_policy soft
>> idle_timelimit 3600
>> pam_password clear
>> nss_initgroups_ignoreusers
>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>> ssl off
>> tls_cacertdir /etc/openldap/cacerts
>>
>> #
>> # /etc/openldap/ldap.conf
>> #
>> URI ldap://10.0.6.150/
>> BASE dc=disamcep,dc=com
>> TLS_CACERTDIR /etc/openldap/cacerts
>>
>> #
>> # /etc/nsswitch.conf
>> #
>> passwd: files ldap
>> shadow: files ldap
>> group: files ldap
>> hosts: files dns
>> bootparams: nisplus [NOTFOUND=return] files
>> ethers: files
>> netmasks: files
>> networks: files
>> protocols: files
>> rpc: files
>> services: files
>> netgroup: files
>> publickey: nisplus
>> automount: files
>> aliases: files nisplus
>>
>> #
>> # authconfig --test
>> #
>> caching is disabled
>> nss_files is always enabled
>> nss_compat is disabled
>> nss_db is disabled
>> nss_hesiod is disabled
>> hesiod LHS = ""
>> hesiod RHS = ""
>> nss_ldap is disabled
>> LDAP+TLS is disabled
>> LDAP server = "ldap://10.0.6.150/"
>> LDAP base DN = "dc=disamcep,dc=com"
>> nss_nis is disabled
>> NIS server = ""
>> NIS domain = ""
>> nss_nisplus is disabled
>> nss_winbind is disabled
>> SMB workgroup = "MYGROUP"
>> SMB servers = ""
>> SMB security = "user"
>> SMB realm = ""
>> Winbind template shell = "/bin/false"
>> SMB idmap uid = "16777216-33554431"
>> SMB idmap gid = "16777216-33554431"
>> nss_wins is disabled
>> pam_unix is always enabled
>> shadow passwords are enabled
>> md5 passwords are enabled
>> pam_krb5 is disabled
>> krb5 realm = "EXAMPLE.COM"
>> krb5 realm via dns is disabled
>> krb5 kdc = "kerberos.example.com:88"
>> krb5 kdc via dns is disabled
>> krb5 admin server = "kerberos.example.com:749"
>> pam_ldap is enabled
>>
>> LDAP+TLS is disabled
>> LDAP server = "ldap://10.0.6.150/"
>> LDAP base DN = "dc=disamcep,dc=com"
>> pam_pkcs11 is disabled
>>
>> use only smartcard for login is disabled
>> smartcard module = "coolkey"
>> smartcard removal action = "Ignore"
>> pam_smb_auth is disabled
>> SMB workgroup = "MYGROUP"
>> SMB servers = ""
>> pam_winbind is disabled
>> SMB workgroup = "MYGROUP"
>> SMB servers = ""
>> SMB security = "user"
>> SMB realm = ""
>> pam_cracklib is enabled (try_first_pass retry=3)
>> pam_passwdqc is disabled ()
>> Always authorize local users is enabled ()
>> Authenticate system accounts against network services is disabled
>>
>>
>>
>> On Thu, Aug 28, 2008 at 11:59 AM, Weston Rogers <wrogers@...> wrote:
>>
>>>
>>> This config works fine on 2000+ hosts. You have all your other bases
>>> covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
>>>
>>> Wes
>>>
>>> On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
>>>
>>>>
>>>> Weston,
>>>>
>>>> Why doesn't auth have pam_ldap included? The only place I see your
>>>> pam_ldap is under password.
>>>>
>>>> I do not see a single ldap request with this configuration. I have
>>>> tried with and without the $ISA. Any other thoughts?
>>>>
>>>> -lance
>>>>
>>>> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...>
>>>> wrote:
>>>>
>>>>>
>>>>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>>>>> /etc/pam.d/sshd) :
>>>>>
>>>>> auth required /lib/security/$ISA/pam_env.so
>>>>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth
>>>>> nullok
>>>>> auth required /lib/security/$ISA/pam_deny.so
>>>>>
>>>>> account required /lib/security/$ISA/pam_unix.so
>>>>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
>>>>> 100 quiet
>>>>> account required /lib/security/$ISA/pam_permit.so
>>>>>
>>>>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>>>>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>>>>> use_authtok md5 shadow
>>>>> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>>>>> password required /lib/security/$ISA/pam_deny.so
>>>>>
>>>>> session required /lib/security/$ISA/pam_limits.so
>>>>> session required /lib/security/$ISA/pam_unix.so
>>>>>
>>>>>
>>>>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> I am having a bit of an issue. I want to use pam_ldap for
>>>>>> authentication and do not want to have a local user account that is
>>>>>> the for each user that I want to authenticate via ldap. So for example
>>>>>> if I have linux client A receive a login request from a user with the
>>>>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>>>>> the password which the user provided to bind to the ldap server. For
>>>>>> some reason I have something out of order and if the user does not
>>>>>> have a local account it is forwarding INCORRECT as the password to the
>>>>>> ldap server. If I create the username "user.2" on the local system it
>>>>>> will then forward the password provided by the user and the I am off
>>>>>> and running. Any thoughts?
>>>>>>
>>>>>> #
>>>>>> # TCPDUMP showing that the password for AUTH is incorrect
>>>>>> # user.2 does not exist locally
>>>>>> #
>>>>>> 00000074 30 40 02 01 03 60 3b 02 01 03 04 27 75 69 64 3d
>>>>>> 0@...`;. ...'uid=
>>>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>>>> user.2,o u=People
>>>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>>>>>> ,dc=disa mcep,dc=
>>>>>> 000000A4 63 6f 6d 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45
>>>>>> com..... .INCORRE
>>>>>> 000000B4 43 54
>>>>>> CT
>>>>>>
>>>>>>
>>>>>> #
>>>>>> # TCPDUMP showing that the password for AUTH is correct
>>>>>> # after /usr/sbin/adduser user.2
>>>>>> #
>>>>>> 00000074 30 37 02 01 03 60 32 02 01 03 04 27 75 69 64 3d
>>>>>> 07...`2. ...'uid=
>>>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>>>> user.2,o u=People
>>>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>>>>>> ,dc=disa mcep,dc=
>>>>>> 000000A4 63 6f 6d 80 04 74 65 73 74
>>>>>> com..test
>>>>>>
>>>>>>
>>>>>> OS: CentOS 5.1
>>>>>>
>>>>>> #
>>>>>> # /etc/pam.d/sshd
>>>>>> #
>>>>>> #%PAM-1.0
>>>>>> auth required /lib/security/pam_nologin.so
>>>>>> auth sufficient /lib/security/pam_ldap.so
>>>>>> auth required /lib/security/pam_unix_auth.so
>>>>>> try_first_pass
>>>>>>
>>>>>> account sufficient /lib/security/pam_ldap.so
>>>>>> account required /lib/security/pam_unix_acct.so
>>>>>>
>>>>>> password required /lib/security/pam_cracklib.so
>>>>>> password sufficient /lib/security/pam_ldap.so
>>>>>> password required /lib/security/pam_pwdb.so
>>>>>> use_first_pass
>>>>>>
>>>>>> session required /lib/security/pam_unix_session.so
>>>>>>
>>>>>> #
>>>>>> # /etc/pam.d/system-auth
>>>>>> #
>>>>>> #%PAM-1.0
>>>>>> # This file is auto-generated.
>>>>>> # User changes will be destroyed the next time authconfig is run.
>>>>>> auth required pam_env.so
>>>>>> auth sufficient pam_unix.so nullok try_first_pass
>>>>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>>>>> auth sufficient pam_ldap.so use_first_pass
>>>>>> auth required pam_deny.so
>>>>>>
>>>>>> account required pam_unix.so broken_shadow
>>>>>> account sufficient pam_localuser.so
>>>>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>>>> account required pam_permit.so
>>>>>>
>>>>>> password requisite pam_cracklib.so try_first_pass retry=3
>>>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>>>>> use_authtok
>>>>>> password sufficient pam_ldap.so use_authtok
>>>>>> password required pam_deny.so
>>>>>>
>>>>>> session optional pam_keyinit.so revoke
>>>>>> session required pam_limits.so
>>>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>>>> crond quiet use_uid
>>>>>> session required pam_unix.so
>>>>>> session optional pam_ldap.so
>>>>>>
>>>>>>
>>
>>
>
> --
> Patrick Shinpaugh
> Virginia Tech
> UVAG System Administrator/Programmer
> 540-231-2054
>
>
« Return to Thread: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
| Free embeddable forum powered by Nabble | Forum Help |
