LDAP
 » 
PADL Lists
 » 
PAM LDAP

pam_ldap on CentOS passed INCORRECT is local account doesn't exist

View: New views
9 Messages — Rating Filter:   Alert me  

pam_ldap on CentOS passed INCORRECT is local account doesn't exist

by lavermil :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hello All,

I am having a bit of an issue. I want to use pam_ldap for
authentication and do not want to have a local user account that is
the for each user that I want to authenticate via ldap. So for example
if I have linux client A receive a login request from a user with the
username of "user.2" via ssh I would expect PAM and pam_ldap to use
the password which the user provided to bind to the ldap server. For
some reason I have something out of order and if the user does not
have a local account it is forwarding INCORRECT as the password to the
ldap server. If I create the username "user.2" on the local system it
will then forward the password provided by the user and the I am off
and running. Any thoughts?

#
# TCPDUMP showing that the password for AUTH is incorrect
# user.2 does not exist locally
#
00000074  30 40 02 01 03 60 3b 02  01 03 04 27 75 69 64 3d
0@...`;. ...'uid=
00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
user.2,o u=People
00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d
,dc=disa mcep,dc=
000000A4  63 6f 6d 80 0d 08 0a 0d  7f 49 4e 43 4f 52 52 45
com..... .INCORRE
000000B4  43 54
              CT


#
# TCPDUMP showing that the password for AUTH is correct
# after /usr/sbin/adduser user.2
#
00000074  30 37 02 01 03 60 32 02  01 03 04 27 75 69 64 3d     07...`2. ...'uid=
00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
user.2,o u=People
00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d     ,dc=disa mcep,dc=
000000A4  63 6f 6d 80 04 74 65 73  74
   com..test


OS: CentOS 5.1

#
# /etc/pam.d/sshd
#
#%PAM-1.0
auth         required         /lib/security/pam_nologin.so
auth         sufficient         /lib/security/pam_ldap.so
auth         required         /lib/security/pam_unix_auth.so try_first_pass

account         sufficient         /lib/security/pam_ldap.so
account         required         /lib/security/pam_unix_acct.so

password         required         /lib/security/pam_cracklib.so
password         sufficient         /lib/security/pam_ldap.so
password         required         /lib/security/pam_pwdb.so use_first_pass

session         required         /lib/security/pam_unix_session.so

#
# /etc/pam.d/system-auth
#
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist

by wrogers :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

This is what I use for /etc/pam.d/system-auth (you don't need to touch
/etc/pam.d/sshd) :

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so


On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:

> Hello All,
>
> I am having a bit of an issue. I want to use pam_ldap for
> authentication and do not want to have a local user account that is
> the for each user that I want to authenticate via ldap. So for example
> if I have linux client A receive a login request from a user with the
> username of "user.2" via ssh I would expect PAM and pam_ldap to use
> the password which the user provided to bind to the ldap server. For
> some reason I have something out of order and if the user does not
> have a local account it is forwarding INCORRECT as the password to the
> ldap server. If I create the username "user.2" on the local system it
> will then forward the password provided by the user and the I am off
> and running. Any thoughts?
>
> #
> # TCPDUMP showing that the password for AUTH is incorrect
> # user.2 does not exist locally
> #
> 00000074  30 40 02 01 03 60 3b 02  01 03 04 27 75 69 64 3d
> 0@...`;. ...'uid=
> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
> user.2,o u=People
> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d
> ,dc=disa mcep,dc=
> 000000A4  63 6f 6d 80 0d 08 0a 0d  7f 49 4e 43 4f 52 52 45
> com..... .INCORRE
> 000000B4  43 54
>              CT
>
>
> #
> # TCPDUMP showing that the password for AUTH is correct
> # after /usr/sbin/adduser user.2
> #
> 00000074  30 37 02 01 03 60 32 02  01 03 04 27 75 69 64 3d     07...`2. ...'uid=
> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
> user.2,o u=People
> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d     ,dc=disa mcep,dc=
> 000000A4  63 6f 6d 80 04 74 65 73  74
>   com..test
>
>
> OS: CentOS 5.1
>
> #
> # /etc/pam.d/sshd
> #
> #%PAM-1.0
> auth         required         /lib/security/pam_nologin.so
> auth         sufficient         /lib/security/pam_ldap.so
> auth         required         /lib/security/pam_unix_auth.so try_first_pass
>
> account         sufficient         /lib/security/pam_ldap.so
> account         required         /lib/security/pam_unix_acct.so
>
> password         required         /lib/security/pam_cracklib.so
> password         sufficient         /lib/security/pam_ldap.so
> password         required         /lib/security/pam_pwdb.so use_first_pass
>
> session         required         /lib/security/pam_unix_session.so
>
> #
> # /etc/pam.d/system-auth
> #
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_ldap.so
>

Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist

by lavermil :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Weston,

Why doesn't auth have pam_ldap included? The only place I see your
pam_ldap is under password.

I do not see a single ldap request with this configuration. I have
tried with and without the $ISA. Any other thoughts?

-lance

On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:

> This is what I use for /etc/pam.d/system-auth (you don't need to touch
> /etc/pam.d/sshd) :
>
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        required      /lib/security/$ISA/pam_deny.so
>
> account     required      /lib/security/$ISA/pam_unix.so
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account     required      /lib/security/$ISA/pam_permit.so
>
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
>
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
>
>
> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>> Hello All,
>>
>> I am having a bit of an issue. I want to use pam_ldap for
>> authentication and do not want to have a local user account that is
>> the for each user that I want to authenticate via ldap. So for example
>> if I have linux client A receive a login request from a user with the
>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>> the password which the user provided to bind to the ldap server. For
>> some reason I have something out of order and if the user does not
>> have a local account it is forwarding INCORRECT as the password to the
>> ldap server. If I create the username "user.2" on the local system it
>> will then forward the password provided by the user and the I am off
>> and running. Any thoughts?
>>
>> #
>> # TCPDUMP showing that the password for AUTH is incorrect
>> # user.2 does not exist locally
>> #
>> 00000074  30 40 02 01 03 60 3b 02  01 03 04 27 75 69 64 3d
>> 0@...`;. ...'uid=
>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>> user.2,o u=People
>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d
>> ,dc=disa mcep,dc=
>> 000000A4  63 6f 6d 80 0d 08 0a 0d  7f 49 4e 43 4f 52 52 45
>> com..... .INCORRE
>> 000000B4  43 54
>>              CT
>>
>>
>> #
>> # TCPDUMP showing that the password for AUTH is correct
>> # after /usr/sbin/adduser user.2
>> #
>> 00000074  30 37 02 01 03 60 32 02  01 03 04 27 75 69 64 3d     07...`2. ...'uid=
>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>> user.2,o u=People
>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d     ,dc=disa mcep,dc=
>> 000000A4  63 6f 6d 80 04 74 65 73  74
>>   com..test
>>
>>
>> OS: CentOS 5.1
>>
>> #
>> # /etc/pam.d/sshd
>> #
>> #%PAM-1.0
>> auth         required         /lib/security/pam_nologin.so
>> auth         sufficient         /lib/security/pam_ldap.so
>> auth         required         /lib/security/pam_unix_auth.so try_first_pass
>>
>> account         sufficient         /lib/security/pam_ldap.so
>> account         required         /lib/security/pam_unix_acct.so
>>
>> password         required         /lib/security/pam_cracklib.so
>> password         sufficient         /lib/security/pam_ldap.so
>> password         required         /lib/security/pam_pwdb.so use_first_pass
>>
>> session         required         /lib/security/pam_unix_session.so
>>
>> #
>> # /etc/pam.d/system-auth
>> #
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        sufficient    pam_ldap.so use_first_pass
>> auth        required      pam_deny.so
>>
>> account     required      pam_unix.so broken_shadow
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>> account     required      pam_permit.so
>>
>> password    requisite     pam_cracklib.so try_first_pass retry=3
>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password    sufficient    pam_ldap.so use_authtok
>> password    required      pam_deny.so
>>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session     required      pam_unix.so
>> session     optional      pam_ldap.so
>>
>

Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist

by wrogers :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

This config works fine on 2000+ hosts.  You have all your other bases
covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)

Wes

On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:

> Weston,
>
> Why doesn't auth have pam_ldap included? The only place I see your
> pam_ldap is under password.
>
> I do not see a single ldap request with this configuration. I have
> tried with and without the $ISA. Any other thoughts?
>
> -lance
>
> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>> /etc/pam.d/sshd) :
>>
>> auth        required      /lib/security/$ISA/pam_env.so
>> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>> auth        required      /lib/security/$ISA/pam_deny.so
>>
>> account     required      /lib/security/$ISA/pam_unix.so
>> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>> account     required      /lib/security/$ISA/pam_permit.so
>>
>> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
>> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
>> password    required      /lib/security/$ISA/pam_deny.so
>>
>> session     required      /lib/security/$ISA/pam_limits.so
>> session     required      /lib/security/$ISA/pam_unix.so
>>
>>
>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>>> Hello All,
>>>
>>> I am having a bit of an issue. I want to use pam_ldap for
>>> authentication and do not want to have a local user account that is
>>> the for each user that I want to authenticate via ldap. So for example
>>> if I have linux client A receive a login request from a user with the
>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>> the password which the user provided to bind to the ldap server. For
>>> some reason I have something out of order and if the user does not
>>> have a local account it is forwarding INCORRECT as the password to the
>>> ldap server. If I create the username "user.2" on the local system it
>>> will then forward the password provided by the user and the I am off
>>> and running. Any thoughts?
>>>
>>> #
>>> # TCPDUMP showing that the password for AUTH is incorrect
>>> # user.2 does not exist locally
>>> #
>>> 00000074  30 40 02 01 03 60 3b 02  01 03 04 27 75 69 64 3d
>>> 0@...`;. ...'uid=
>>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>>> user.2,o u=People
>>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d
>>> ,dc=disa mcep,dc=
>>> 000000A4  63 6f 6d 80 0d 08 0a 0d  7f 49 4e 43 4f 52 52 45
>>> com..... .INCORRE
>>> 000000B4  43 54
>>>              CT
>>>
>>>
>>> #
>>> # TCPDUMP showing that the password for AUTH is correct
>>> # after /usr/sbin/adduser user.2
>>> #
>>> 00000074  30 37 02 01 03 60 32 02  01 03 04 27 75 69 64 3d     07...`2. ...'uid=
>>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>>> user.2,o u=People
>>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d     ,dc=disa mcep,dc=
>>> 000000A4  63 6f 6d 80 04 74 65 73  74
>>>   com..test
>>>
>>>
>>> OS: CentOS 5.1
>>>
>>> #
>>> # /etc/pam.d/sshd
>>> #
>>> #%PAM-1.0
>>> auth         required         /lib/security/pam_nologin.so
>>> auth         sufficient         /lib/security/pam_ldap.so
>>> auth         required         /lib/security/pam_unix_auth.so try_first_pass
>>>
>>> account         sufficient         /lib/security/pam_ldap.so
>>> account         required         /lib/security/pam_unix_acct.so
>>>
>>> password         required         /lib/security/pam_cracklib.so
>>> password         sufficient         /lib/security/pam_ldap.so
>>> password         required         /lib/security/pam_pwdb.so use_first_pass
>>>
>>> session         required         /lib/security/pam_unix_session.so
>>>
>>> #
>>> # /etc/pam.d/system-auth
>>> #
>>> #%PAM-1.0
>>> # This file is auto-generated.
>>> # User changes will be destroyed the next time authconfig is run.
>>> auth        required      pam_env.so
>>> auth        sufficient    pam_unix.so nullok try_first_pass
>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>> auth        sufficient    pam_ldap.so use_first_pass
>>> auth        required      pam_deny.so
>>>
>>> account     required      pam_unix.so broken_shadow
>>> account     sufficient    pam_localuser.so
>>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>> account     required      pam_permit.so
>>>
>>> password    requisite     pam_cracklib.so try_first_pass retry=3
>>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password    sufficient    pam_ldap.so use_authtok
>>> password    required      pam_deny.so
>>>
>>> session     optional      pam_keyinit.so revoke
>>> session     required      pam_limits.so
>>> session     [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>> session     required      pam_unix.so
>>> session     optional      pam_ldap.so
>>>
>>
>

Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist

by lavermil :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Weston,

Here is what I have for nsswitch.conf, ldap.conf, etc.

I do not know how to enable nss_ldap via authconfig....maybe that is
causing the issue?

#
# /etc/ldap.conf
#
base dc=disamcep,dc=com
uri ldap://10.0.6.150/
binddn uid=user.0,ou=People,dc=disamcep,dc=com
bindpw test
timelimit 120
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
pam_password clear
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
ssl off
tls_cacertdir /etc/openldap/cacerts

#
# /etc/openldap/ldap.conf
#
URI ldap://10.0.6.150/
BASE dc=disamcep,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

#
# /etc/nsswitch.conf
#
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

#
# authconfig --test
#
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://10.0.6.150/"
 LDAP base DN = "dc=disamcep,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
 shadow passwords are enabled
 md5 passwords are enabled
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com:88"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com:749"
pam_ldap is enabled

 LDAP+TLS is disabled
 LDAP server = "ldap://10.0.6.150/"
 LDAP base DN = "dc=disamcep,dc=com"
pam_pkcs11 is disabled

 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled



On Thu, Aug 28, 2008 at 11:59 AM, Weston Rogers <wrogers@...> wrote:

> This config works fine on 2000+ hosts.  You have all your other bases
> covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
>
> Wes
>
> On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
>> Weston,
>>
>> Why doesn't auth have pam_ldap included? The only place I see your
>> pam_ldap is under password.
>>
>> I do not see a single ldap request with this configuration. I have
>> tried with and without the $ISA. Any other thoughts?
>>
>> -lance
>>
>> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
>>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>>> /etc/pam.d/sshd) :
>>>
>>> auth        required      /lib/security/$ISA/pam_env.so
>>> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>>> auth        required      /lib/security/$ISA/pam_deny.so
>>>
>>> account     required      /lib/security/$ISA/pam_unix.so
>>> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>>> account     required      /lib/security/$ISA/pam_permit.so
>>>
>>> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
>>> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>>> use_authtok md5 shadow
>>> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
>>> password    required      /lib/security/$ISA/pam_deny.so
>>>
>>> session     required      /lib/security/$ISA/pam_limits.so
>>> session     required      /lib/security/$ISA/pam_unix.so
>>>
>>>
>>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>>>> Hello All,
>>>>
>>>> I am having a bit of an issue. I want to use pam_ldap for
>>>> authentication and do not want to have a local user account that is
>>>> the for each user that I want to authenticate via ldap. So for example
>>>> if I have linux client A receive a login request from a user with the
>>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>>> the password which the user provided to bind to the ldap server. For
>>>> some reason I have something out of order and if the user does not
>>>> have a local account it is forwarding INCORRECT as the password to the
>>>> ldap server. If I create the username "user.2" on the local system it
>>>> will then forward the password provided by the user and the I am off
>>>> and running. Any thoughts?
>>>>
>>>> #
>>>> # TCPDUMP showing that the password for AUTH is incorrect
>>>> # user.2 does not exist locally
>>>> #
>>>> 00000074  30 40 02 01 03 60 3b 02  01 03 04 27 75 69 64 3d
>>>> 0@...`;. ...'uid=
>>>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>>>> user.2,o u=People
>>>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d
>>>> ,dc=disa mcep,dc=
>>>> 000000A4  63 6f 6d 80 0d 08 0a 0d  7f 49 4e 43 4f 52 52 45
>>>> com..... .INCORRE
>>>> 000000B4  43 54
>>>>              CT
>>>>
>>>>
>>>> #
>>>> # TCPDUMP showing that the password for AUTH is correct
>>>> # after /usr/sbin/adduser user.2
>>>> #
>>>> 00000074  30 37 02 01 03 60 32 02  01 03 04 27 75 69 64 3d     07...`2. ...'uid=
>>>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>>>> user.2,o u=People
>>>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d     ,dc=disa mcep,dc=
>>>> 000000A4  63 6f 6d 80 04 74 65 73  74
>>>>   com..test
>>>>
>>>>
>>>> OS: CentOS 5.1
>>>>
>>>> #
>>>> # /etc/pam.d/sshd
>>>> #
>>>> #%PAM-1.0
>>>> auth         required         /lib/security/pam_nologin.so
>>>> auth         sufficient         /lib/security/pam_ldap.so
>>>> auth         required         /lib/security/pam_unix_auth.so try_first_pass
>>>>
>>>> account         sufficient         /lib/security/pam_ldap.so
>>>> account         required         /lib/security/pam_unix_acct.so
>>>>
>>>> password         required         /lib/security/pam_cracklib.so
>>>> password         sufficient         /lib/security/pam_ldap.so
>>>> password         required         /lib/security/pam_pwdb.so use_first_pass
>>>>
>>>> session         required         /lib/security/pam_unix_session.so
>>>>
>>>> #
>>>> # /etc/pam.d/system-auth
>>>> #
>>>> #%PAM-1.0
>>>> # This file is auto-generated.
>>>> # User changes will be destroyed the next time authconfig is run.
>>>> auth        required      pam_env.so
>>>> auth        sufficient    pam_unix.so nullok try_first_pass
>>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>>> auth        sufficient    pam_ldap.so use_first_pass
>>>> auth        required      pam_deny.so
>>>>
>>>> account     required      pam_unix.so broken_shadow
>>>> account     sufficient    pam_localuser.so
>>>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>>>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>> account     required      pam_permit.so
>>>>
>>>> password    requisite     pam_cracklib.so try_first_pass retry=3
>>>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>>> use_authtok
>>>> password    sufficient    pam_ldap.so use_authtok
>>>> password    required      pam_deny.so
>>>>
>>>> session     optional      pam_keyinit.so revoke
>>>> session     required      pam_limits.so
>>>> session     [success=1 default=ignore] pam_succeed_if.so service in
>>>> crond quiet use_uid
>>>> session     required      pam_unix.so
>>>> session     optional      pam_ldap.so
>>>>
>>>
>>
>

Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist

by lavermil :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I even went and setup kerberos. I have the exact same issue. I now
know this has absolutely nothing to do with pam_ldap but rather PAM
and how the authenication is taking place. Apparently if no local user
is setup then it will fail. I don't know how to get around this
configuration issue. I have to be missing something. Can anyone point
me in the right direction?

TIA,

-lance

On Thu, Aug 28, 2008 at 2:25 PM, Lance Vermilion <pamldap@...> wrote:

> Weston,
>
> Here is what I have for nsswitch.conf, ldap.conf, etc.
>
> I do not know how to enable nss_ldap via authconfig....maybe that is
> causing the issue?
>
> #
> # /etc/ldap.conf
> #
> base dc=disamcep,dc=com
> uri ldap://10.0.6.150/
> binddn uid=user.0,ou=People,dc=disamcep,dc=com
> bindpw test
> timelimit 120
> bind_timelimit 30
> bind_policy soft
> idle_timelimit 3600
> pam_password clear
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
> ssl off
> tls_cacertdir /etc/openldap/cacerts
>
> #
> # /etc/openldap/ldap.conf
> #
> URI ldap://10.0.6.150/
> BASE dc=disamcep,dc=com
> TLS_CACERTDIR /etc/openldap/cacerts
>
> #
> # /etc/nsswitch.conf
> #
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> hosts:      files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> netgroup:   files
> publickey:  nisplus
> automount:  files
> aliases:    files nisplus
>
> #
> # authconfig --test
> #
> caching is disabled
> nss_files is always enabled
> nss_compat is disabled
> nss_db is disabled
> nss_hesiod is disabled
>  hesiod LHS = ""
>  hesiod RHS = ""
> nss_ldap is disabled
>  LDAP+TLS is disabled
>  LDAP server = "ldap://10.0.6.150/"
>  LDAP base DN = "dc=disamcep,dc=com"
> nss_nis is disabled
>  NIS server = ""
>  NIS domain = ""
> nss_nisplus is disabled
> nss_winbind is disabled
>  SMB workgroup = "MYGROUP"
>  SMB servers = ""
>  SMB security = "user"
>  SMB realm = ""
>  Winbind template shell = "/bin/false"
>  SMB idmap uid = "16777216-33554431"
>  SMB idmap gid = "16777216-33554431"
> nss_wins is disabled
> pam_unix is always enabled
>  shadow passwords are enabled
>  md5 passwords are enabled
> pam_krb5 is disabled
>  krb5 realm = "EXAMPLE.COM"
>  krb5 realm via dns is disabled
>  krb5 kdc = "kerberos.example.com:88"
>  krb5 kdc via dns is disabled
>  krb5 admin server = "kerberos.example.com:749"
> pam_ldap is enabled
>
>  LDAP+TLS is disabled
>  LDAP server = "ldap://10.0.6.150/"
>  LDAP base DN = "dc=disamcep,dc=com"
> pam_pkcs11 is disabled
>
>  use only smartcard for login is disabled
>  smartcard module = "coolkey"
>  smartcard removal action = "Ignore"
> pam_smb_auth is disabled
>  SMB workgroup = "MYGROUP"
>  SMB servers = ""
> pam_winbind is disabled
>  SMB workgroup = "MYGROUP"
>  SMB servers = ""
>  SMB security = "user"
>  SMB realm = ""
> pam_cracklib is enabled (try_first_pass retry=3)
> pam_passwdqc is disabled ()
> Always authorize local users is enabled ()
> Authenticate system accounts against network services is disabled
>
>
>
> On Thu, Aug 28, 2008 at 11:59 AM, Weston Rogers <wrogers@...> wrote:
>> This config works fine on 2000+ hosts.  You have all your other bases
>> covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
>>
>> Wes
>>
>> On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
>>> Weston,
>>>
>>> Why doesn't auth have pam_ldap included? The only place I see your
>>> pam_ldap is under password.
>>>
>>> I do not see a single ldap request with this configuration. I have
>>> tried with and without the $ISA. Any other thoughts?
>>>
>>> -lance
>>>
>>> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
>>>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>>>> /etc/pam.d/sshd) :
>>>>
>>>> auth        required      /lib/security/$ISA/pam_env.so
>>>> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>>>> auth        required      /lib/security/$ISA/pam_deny.so
>>>>
>>>> account     required      /lib/security/$ISA/pam_unix.so
>>>> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>>>> account     required      /lib/security/$ISA/pam_permit.so
>>>>
>>>> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
>>>> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>>>> use_authtok md5 shadow
>>>> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
>>>> password    required      /lib/security/$ISA/pam_deny.so
>>>>
>>>> session     required      /lib/security/$ISA/pam_limits.so
>>>> session     required      /lib/security/$ISA/pam_unix.so
>>>>
>>>>
>>>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>>>>> Hello All,
>>>>>
>>>>> I am having a bit of an issue. I want to use pam_ldap for
>>>>> authentication and do not want to have a local user account that is
>>>>> the for each user that I want to authenticate via ldap. So for example
>>>>> if I have linux client A receive a login request from a user with the
>>>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>>>> the password which the user provided to bind to the ldap server. For
>>>>> some reason I have something out of order and if the user does not
>>>>> have a local account it is forwarding INCORRECT as the password to the
>>>>> ldap server. If I create the username "user.2" on the local system it
>>>>> will then forward the password provided by the user and the I am off
>>>>> and running. Any thoughts?
>>>>>
>>>>> #
>>>>> # TCPDUMP showing that the password for AUTH is incorrect
>>>>> # user.2 does not exist locally
>>>>> #
>>>>> 00000074  30 40 02 01 03 60 3b 02  01 03 04 27 75 69 64 3d
>>>>> 0@...`;. ...'uid=
>>>>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>>>>> user.2,o u=People
>>>>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d
>>>>> ,dc=disa mcep,dc=
>>>>> 000000A4  63 6f 6d 80 0d 08 0a 0d  7f 49 4e 43 4f 52 52 45
>>>>> com..... .INCORRE
>>>>> 000000B4  43 54
>>>>>              CT
>>>>>
>>>>>
>>>>> #
>>>>> # TCPDUMP showing that the password for AUTH is correct
>>>>> # after /usr/sbin/adduser user.2
>>>>> #
>>>>> 00000074  30 37 02 01 03 60 32 02  01 03 04 27 75 69 64 3d     07...`2. ...'uid=
>>>>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>>>>> user.2,o u=People
>>>>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d     ,dc=disa mcep,dc=
>>>>> 000000A4  63 6f 6d 80 04 74 65 73  74
>>>>>   com..test
>>>>>
>>>>>
>>>>> OS: CentOS 5.1
>>>>>
>>>>> #
>>>>> # /etc/pam.d/sshd
>>>>> #
>>>>> #%PAM-1.0
>>>>> auth         required         /lib/security/pam_nologin.so
>>>>> auth         sufficient         /lib/security/pam_ldap.so
>>>>> auth         required         /lib/security/pam_unix_auth.so try_first_pass
>>>>>
>>>>> account         sufficient         /lib/security/pam_ldap.so
>>>>> account         required         /lib/security/pam_unix_acct.so
>>>>>
>>>>> password         required         /lib/security/pam_cracklib.so
>>>>> password         sufficient         /lib/security/pam_ldap.so
>>>>> password         required         /lib/security/pam_pwdb.so use_first_pass
>>>>>
>>>>> session         required         /lib/security/pam_unix_session.so
>>>>>
>>>>> #
>>>>> # /etc/pam.d/system-auth
>>>>> #
>>>>> #%PAM-1.0
>>>>> # This file is auto-generated.
>>>>> # User changes will be destroyed the next time authconfig is run.
>>>>> auth        required      pam_env.so
>>>>> auth        sufficient    pam_unix.so nullok try_first_pass
>>>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>>>> auth        sufficient    pam_ldap.so use_first_pass
>>>>> auth        required      pam_deny.so
>>>>>
>>>>> account     required      pam_unix.so broken_shadow
>>>>> account     sufficient    pam_localuser.so
>>>>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>>>>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>>> account     required      pam_permit.so
>>>>>
>>>>> password    requisite     pam_cracklib.so try_first_pass retry=3
>>>>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>>>> use_authtok
>>>>> password    sufficient    pam_ldap.so use_authtok
>>>>> password    required      pam_deny.so
>>>>>
>>>>> session     optional      pam_keyinit.so revoke
>>>>> session     required      pam_limits.so
>>>>> session     [success=1 default=ignore] pam_succeed_if.so service in
>>>>> crond quiet use_uid
>>>>> session     required      pam_unix.so
>>>>> session     optional      pam_ldap.so
>>>>>
>>>>
>>>
>>
>

Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist

by wrogers :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I have always steered clear of authconfig, but thats just my personal
preference.  Try changing your order in /etc/nsswitch.conf to ldap
first.

On Thu, Aug 28, 2008 at 17:25, Lance Vermilion <pamldap@...> wrote:

> Weston,
>
> Here is what I have for nsswitch.conf, ldap.conf, etc.
>
> I do not know how to enable nss_ldap via authconfig....maybe that is
> causing the issue?
>
> #
> # /etc/ldap.conf
> #
> base dc=disamcep,dc=com
> uri ldap://10.0.6.150/
> binddn uid=user.0,ou=People,dc=disamcep,dc=com
> bindpw test
> timelimit 120
> bind_timelimit 30
> bind_policy soft
> idle_timelimit 3600
> pam_password clear
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
> ssl off
> tls_cacertdir /etc/openldap/cacerts
>
> #
> # /etc/openldap/ldap.conf
> #
> URI ldap://10.0.6.150/
> BASE dc=disamcep,dc=com
> TLS_CACERTDIR /etc/openldap/cacerts
>
> #
> # /etc/nsswitch.conf
> #
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> hosts:      files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> netgroup:   files
> publickey:  nisplus
> automount:  files
> aliases:    files nisplus
>
> #
> # authconfig --test
> #
> caching is disabled
> nss_files is always enabled
> nss_compat is disabled
> nss_db is disabled
> nss_hesiod is disabled
>  hesiod LHS = ""
>  hesiod RHS = ""
> nss_ldap is disabled
>  LDAP+TLS is disabled
>  LDAP server = "ldap://10.0.6.150/"
>  LDAP base DN = "dc=disamcep,dc=com"
> nss_nis is disabled
>  NIS server = ""
>  NIS domain = ""
> nss_nisplus is disabled
> nss_winbind is disabled
>  SMB workgroup = "MYGROUP"
>  SMB servers = ""
>  SMB security = "user"
>  SMB realm = ""
>  Winbind template shell = "/bin/false"
>  SMB idmap uid = "16777216-33554431"
>  SMB idmap gid = "16777216-33554431"
> nss_wins is disabled
> pam_unix is always enabled
>  shadow passwords are enabled
>  md5 passwords are enabled
> pam_krb5 is disabled
>  krb5 realm = "EXAMPLE.COM"
>  krb5 realm via dns is disabled
>  krb5 kdc = "kerberos.example.com:88"
>  krb5 kdc via dns is disabled
>  krb5 admin server = "kerberos.example.com:749"
> pam_ldap is enabled
>
>  LDAP+TLS is disabled
>  LDAP server = "ldap://10.0.6.150/"
>  LDAP base DN = "dc=disamcep,dc=com"
> pam_pkcs11 is disabled
>
>  use only smartcard for login is disabled
>  smartcard module = "coolkey"
>  smartcard removal action = "Ignore"
> pam_smb_auth is disabled
>  SMB workgroup = "MYGROUP"
>  SMB servers = ""
> pam_winbind is disabled
>  SMB workgroup = "MYGROUP"
>  SMB servers = ""
>  SMB security = "user"
>  SMB realm = ""
> pam_cracklib is enabled (try_first_pass retry=3)
> pam_passwdqc is disabled ()
> Always authorize local users is enabled ()
> Authenticate system accounts against network services is disabled
>
>
>
> On Thu, Aug 28, 2008 at 11:59 AM, Weston Rogers <wrogers@...> wrote:
>> This config works fine on 2000+ hosts.  You have all your other bases
>> covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
>>
>> Wes
>>
>> On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
>>> Weston,
>>>
>>> Why doesn't auth have pam_ldap included? The only place I see your
>>> pam_ldap is under password.
>>>
>>> I do not see a single ldap request with this configuration. I have
>>> tried with and without the $ISA. Any other thoughts?
>>>
>>> -lance
>>>
>>> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
>>>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>>>> /etc/pam.d/sshd) :
>>>>
>>>> auth        required      /lib/security/$ISA/pam_env.so
>>>> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>>>> auth        required      /lib/security/$ISA/pam_deny.so
>>>>
>>>> account     required      /lib/security/$ISA/pam_unix.so
>>>> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>>>> account     required      /lib/security/$ISA/pam_permit.so
>>>>
>>>> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
>>>> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>>>> use_authtok md5 shadow
>>>> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
>>>> password    required      /lib/security/$ISA/pam_deny.so
>>>>
>>>> session     required      /lib/security/$ISA/pam_limits.so
>>>> session     required      /lib/security/$ISA/pam_unix.so
>>>>
>>>>
>>>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>>>>> Hello All,
>>>>>
>>>>> I am having a bit of an issue. I want to use pam_ldap for
>>>>> authentication and do not want to have a local user account that is
>>>>> the for each user that I want to authenticate via ldap. So for example
>>>>> if I have linux client A receive a login request from a user with the
>>>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>>>> the password which the user provided to bind to the ldap server. For
>>>>> some reason I have something out of order and if the user does not
>>>>> have a local account it is forwarding INCORRECT as the password to the
>>>>> ldap server. If I create the username "user.2" on the local system it
>>>>> will then forward the password provided by the user and the I am off
>>>>> and running. Any thoughts?
>>>>>
>>>>> #
>>>>> # TCPDUMP showing that the password for AUTH is incorrect
>>>>> # user.2 does not exist locally
>>>>> #
>>>>> 00000074  30 40 02 01 03 60 3b 02  01 03 04 27 75 69 64 3d
>>>>> 0@...`;. ...'uid=
>>>>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>>>>> user.2,o u=People
>>>>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d
>>>>> ,dc=disa mcep,dc=
>>>>> 000000A4  63 6f 6d 80 0d 08 0a 0d  7f 49 4e 43 4f 52 52 45
>>>>> com..... .INCORRE
>>>>> 000000B4  43 54
>>>>>              CT
>>>>>
>>>>>
>>>>> #
>>>>> # TCPDUMP showing that the password for AUTH is correct
>>>>> # after /usr/sbin/adduser user.2
>>>>> #
>>>>> 00000074  30 37 02 01 03 60 32 02  01 03 04 27 75 69 64 3d     07...`2. ...'uid=
>>>>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>>>>> user.2,o u=People
>>>>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d     ,dc=disa mcep,dc=
>>>>> 000000A4  63 6f 6d 80 04 74 65 73  74
>>>>>   com..test
>>>>>
>>>>>
>>>>> OS: CentOS 5.1
>>>>>
>>>>> #
>>>>> # /etc/pam.d/sshd
>>>>> #
>>>>> #%PAM-1.0
>>>>> auth         required         /lib/security/pam_nologin.so
>>>>> auth         sufficient         /lib/security/pam_ldap.so
>>>>> auth         required         /lib/security/pam_unix_auth.so try_first_pass
>>>>>
>>>>> account         sufficient         /lib/security/pam_ldap.so
>>>>> account         required         /lib/security/pam_unix_acct.so
>>>>>
>>>>> password         required         /lib/security/pam_cracklib.so
>>>>> password         sufficient         /lib/security/pam_ldap.so
>>>>> password         required         /lib/security/pam_pwdb.so use_first_pass
>>>>>
>>>>> session         required         /lib/security/pam_unix_session.so
>>>>>
>>>>> #
>>>>> # /etc/pam.d/system-auth
>>>>> #
>>>>> #%PAM-1.0
>>>>> # This file is auto-generated.
>>>>> # User changes will be destroyed the next time authconfig is run.
>>>>> auth        required      pam_env.so
>>>>> auth        sufficient    pam_unix.so nullok try_first_pass
>>>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>>>> auth        sufficient    pam_ldap.so use_first_pass
>>>>> auth        required      pam_deny.so
>>>>>
>>>>> account     required      pam_unix.so broken_shadow
>>>>> account     sufficient    pam_localuser.so
>>>>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>>>>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>>> account     required      pam_permit.so
>>>>>
>>>>> password    requisite     pam_cracklib.so try_first_pass retry=3
>>>>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>>>> use_authtok
>>>>> password    sufficient    pam_ldap.so use_authtok
>>>>> password    required      pam_deny.so
>>>>>
>>>>> session     optional      pam_keyinit.so revoke
>>>>> session     required      pam_limits.so
>>>>> session     [success=1 default=ignore] pam_succeed_if.so service in
>>>>> crond quiet use_uid
>>>>> session     required      pam_unix.so
>>>>> session     optional      pam_ldap.so
>>>>>
>>>>
>>>
>>
>

Parent Message unknown Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist

by lavermil :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

patrick,

Tried that no love. I don't have a classObject of posixAccount. Am I
missing something?

On Fri, Aug 29, 2008 at 7:03 AM, Patrick Shinpaugh <shpatric@...> wrote:

> I use openldap on centos 5.1 without any problems. My /etc/pam.d/system-auth
> looks the same as yours. Try modifying your /etc/ldap.conf - see nss_base_*
> and pam_* below
>
>
> uri ldap://localhost:389
> # uri ldap://ldap.some.domain.org:389
> base dc=some,dc=domain,dc=org
>
> nss_base_passwd ou=People,dc=some,dc=domain,dc=org
> nss_base_shadow ou=People,dc=some,dc=domain,dc=org
> nss_base_group ou=Group,dc=some,dc=domain,dc=org
> nss_base_hosts ou=Hosts,dc=some,dc=domain,dc=org
>
> rootbinddn cn=rootbinder,dc=some,dc=domain,dc=org    # if used need to add
> /etc/ldap.secret
> binddn cn=binderman,dc=some,dc=domain,dc=org
> bindpw sillypassword
>
> pam_login_attribute uid
> pam_filter objectClass=posixAccount
> pam_member_attribute memberUid
>
> pam_password exop     # use exop if ldap is also used with non-linux clients
> so password is recognizable
>
> ssl no
>
> timelimit 10
> bind_timelimit 10
> idle_timelimit 3600
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>
>
>
>
> Lance Vermilion wrote:
>>
>> Weston,
>>
>> Here is what I have for nsswitch.conf, ldap.conf, etc.
>>
>> I do not know how to enable nss_ldap via authconfig....maybe that is
>> causing the issue?
>>
>> #
>> # /etc/ldap.conf
>> #
>> base dc=disamcep,dc=com
>> uri ldap://10.0.6.150/
>> binddn uid=user.0,ou=People,dc=disamcep,dc=com
>> bindpw test
>> timelimit 120
>> bind_timelimit 30
>> bind_policy soft
>> idle_timelimit 3600
>> pam_password clear
>> nss_initgroups_ignoreusers
>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>> ssl off
>> tls_cacertdir /etc/openldap/cacerts
>>
>> #
>> # /etc/openldap/ldap.conf
>> #
>> URI ldap://10.0.6.150/
>> BASE dc=disamcep,dc=com
>> TLS_CACERTDIR /etc/openldap/cacerts
>>
>> #
>> # /etc/nsswitch.conf
>> #
>> passwd:     files ldap
>> shadow:     files ldap
>> group:      files ldap
>> hosts:      files dns
>> bootparams: nisplus [NOTFOUND=return] files
>> ethers:     files
>> netmasks:   files
>> networks:   files
>> protocols:  files
>> rpc:        files
>> services:   files
>> netgroup:   files
>> publickey:  nisplus
>> automount:  files
>> aliases:    files nisplus
>>
>> #
>> # authconfig --test
>> #
>> caching is disabled
>> nss_files is always enabled
>> nss_compat is disabled
>> nss_db is disabled
>> nss_hesiod is disabled
>>  hesiod LHS = ""
>>  hesiod RHS = ""
>> nss_ldap is disabled
>>  LDAP+TLS is disabled
>>  LDAP server = "ldap://10.0.6.150/"
>>  LDAP base DN = "dc=disamcep,dc=com"
>> nss_nis is disabled
>>  NIS server = ""
>>  NIS domain = ""
>> nss_nisplus is disabled
>> nss_winbind is disabled
>>  SMB workgroup = "MYGROUP"
>>  SMB servers = ""
>>  SMB security = "user"
>>  SMB realm = ""
>>  Winbind template shell = "/bin/false"
>>  SMB idmap uid = "16777216-33554431"
>>  SMB idmap gid = "16777216-33554431"
>> nss_wins is disabled
>> pam_unix is always enabled
>>  shadow passwords are enabled
>>  md5 passwords are enabled
>> pam_krb5 is disabled
>>  krb5 realm = "EXAMPLE.COM"
>>  krb5 realm via dns is disabled
>>  krb5 kdc = "kerberos.example.com:88"
>>  krb5 kdc via dns is disabled
>>  krb5 admin server = "kerberos.example.com:749"
>> pam_ldap is enabled
>>
>>  LDAP+TLS is disabled
>>  LDAP server = "ldap://10.0.6.150/"
>>  LDAP base DN = "dc=disamcep,dc=com"
>> pam_pkcs11 is disabled
>>
>>  use only smartcard for login is disabled
>>  smartcard module = "coolkey"
>>  smartcard removal action = "Ignore"
>> pam_smb_auth is disabled
>>  SMB workgroup = "MYGROUP"
>>  SMB servers = ""
>> pam_winbind is disabled
>>  SMB workgroup = "MYGROUP"
>>  SMB servers = ""
>>  SMB security = "user"
>>  SMB realm = ""
>> pam_cracklib is enabled (try_first_pass retry=3)
>> pam_passwdqc is disabled ()
>> Always authorize local users is enabled ()
>> Authenticate system accounts against network services is disabled
>>
>>
>>
>> On Thu, Aug 28, 2008 at 11:59 AM, Weston Rogers <wrogers@...> wrote:
>>
>>>
>>> This config works fine on 2000+ hosts.  You have all your other bases
>>> covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
>>>
>>> Wes
>>>
>>> On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
>>>
>>>>
>>>> Weston,
>>>>
>>>> Why doesn't auth have pam_ldap included? The only place I see your
>>>> pam_ldap is under password.
>>>>
>>>> I do not see a single ldap request with this configuration. I have
>>>> tried with and without the $ISA. Any other thoughts?
>>>>
>>>> -lance
>>>>
>>>> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...>
>>>> wrote:
>>>>
>>>>>
>>>>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>>>>> /etc/pam.d/sshd) :
>>>>>
>>>>> auth        required      /lib/security/$ISA/pam_env.so
>>>>> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
>>>>> nullok
>>>>> auth        required      /lib/security/$ISA/pam_deny.so
>>>>>
>>>>> account     required      /lib/security/$ISA/pam_unix.so
>>>>> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid <
>>>>> 100 quiet
>>>>> account     required      /lib/security/$ISA/pam_permit.so
>>>>>
>>>>> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
>>>>> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>>>>> use_authtok md5 shadow
>>>>> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
>>>>> password    required      /lib/security/$ISA/pam_deny.so
>>>>>
>>>>> session     required      /lib/security/$ISA/pam_limits.so
>>>>> session     required      /lib/security/$ISA/pam_unix.so
>>>>>
>>>>>
>>>>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> I am having a bit of an issue. I want to use pam_ldap for
>>>>>> authentication and do not want to have a local user account that is
>>>>>> the for each user that I want to authenticate via ldap. So for example
>>>>>> if I have linux client A receive a login request from a user with the
>>>>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>>>>> the password which the user provided to bind to the ldap server. For
>>>>>> some reason I have something out of order and if the user does not
>>>>>> have a local account it is forwarding INCORRECT as the password to the
>>>>>> ldap server. If I create the username "user.2" on the local system it
>>>>>> will then forward the password provided by the user and the I am off
>>>>>> and running. Any thoughts?
>>>>>>
>>>>>> #
>>>>>> # TCPDUMP showing that the password for AUTH is incorrect
>>>>>> # user.2 does not exist locally
>>>>>> #
>>>>>> 00000074  30 40 02 01 03 60 3b 02  01 03 04 27 75 69 64 3d
>>>>>> 0@...`;. ...'uid=
>>>>>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>>>>>> user.2,o u=People
>>>>>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d
>>>>>> ,dc=disa mcep,dc=
>>>>>> 000000A4  63 6f 6d 80 0d 08 0a 0d  7f 49 4e 43 4f 52 52 45
>>>>>> com..... .INCORRE
>>>>>> 000000B4  43 54
>>>>>>             CT
>>>>>>
>>>>>>
>>>>>> #
>>>>>> # TCPDUMP showing that the password for AUTH is correct
>>>>>> # after /usr/sbin/adduser user.2
>>>>>> #
>>>>>> 00000074  30 37 02 01 03 60 32 02  01 03 04 27 75 69 64 3d
>>>>>> 07...`2. ...'uid=
>>>>>> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
>>>>>> user.2,o u=People
>>>>>> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d
>>>>>> ,dc=disa mcep,dc=
>>>>>> 000000A4  63 6f 6d 80 04 74 65 73  74
>>>>>>  com..test
>>>>>>
>>>>>>
>>>>>> OS: CentOS 5.1
>>>>>>
>>>>>> #
>>>>>> # /etc/pam.d/sshd
>>>>>> #
>>>>>> #%PAM-1.0
>>>>>> auth         required         /lib/security/pam_nologin.so
>>>>>> auth         sufficient         /lib/security/pam_ldap.so
>>>>>> auth         required         /lib/security/pam_unix_auth.so
>>>>>> try_first_pass
>>>>>>
>>>>>> account         sufficient         /lib/security/pam_ldap.so
>>>>>> account         required         /lib/security/pam_unix_acct.so
>>>>>>
>>>>>> password         required         /lib/security/pam_cracklib.so
>>>>>> password         sufficient         /lib/security/pam_ldap.so
>>>>>> password         required         /lib/security/pam_pwdb.so
>>>>>> use_first_pass
>>>>>>
>>>>>> session         required         /lib/security/pam_unix_session.so
>>>>>>
>>>>>> #
>>>>>> # /etc/pam.d/system-auth
>>>>>> #
>>>>>> #%PAM-1.0
>>>>>> # This file is auto-generated.
>>>>>> # User changes will be destroyed the next time authconfig is run.
>>>>>> auth        required      pam_env.so
>>>>>> auth        sufficient    pam_unix.so nullok try_first_pass
>>>>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>>>>> auth        sufficient    pam_ldap.so use_first_pass
>>>>>> auth        required      pam_deny.so
>>>>>>
>>>>>> account     required      pam_unix.so broken_shadow
>>>>>> account     sufficient    pam_localuser.so
>>>>>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>>>>>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>>>> account     required      pam_permit.so
>>>>>>
>>>>>> password    requisite     pam_cracklib.so try_first_pass retry=3
>>>>>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>>>>> use_authtok
>>>>>> password    sufficient    pam_ldap.so use_authtok
>>>>>> password    required      pam_deny.so
>>>>>>
>>>>>> session     optional      pam_keyinit.so revoke
>>>>>> session     required      pam_limits.so
>>>>>> session     [success=1 default=ignore] pam_succeed_if.so service in
>>>>>> crond quiet use_uid
>>>>>> session     required      pam_unix.so
>>>>>> session     optional      pam_ldap.so
>>>>>>
>>>>>>
>>
>>
>
> --
> Patrick Shinpaugh
> Virginia Tech
> UVAG System Administrator/Programmer
> 540-231-2054
>
>

Parent Message unknown Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist

by lavermil :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

WOOHOO!!! I have solved my problem with a LOT of looking around and
nice responses from Weston and Patrick. Thank you for all your help.

To sum things up in case anyone else runs across this too.

OpenDS does not create the objectClass posixAccount or
extensibleObject by default. You will need to add these to use PAM. If
you have a default install of OpenDS then you will need to do the
following:

Add objectClass = nisKeyObject (requires many other attributes)
or
Add objectClass = extensibleObject (required for uidNumber)

Add uidNumber = <some UID number> (requires extensibleObject or nisKeyObject)
Add gidNumber = <some GID number>
Add homeDirectory = <some directory path for user accounts>

If all of that is there then you should have an output like I have
below after adding the attributes mentioned above to the default load
of test users.

#
# Output of all my fields.
#
dn: uid=user.2,ou=People,dc=disamcep,dc=com
objectClass: person
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: extensibleObject
objectClass: posixAccount
objectClass: top
postalAddress: Aarika Atpco$00900 Maple Street$New Orleans, KS  10857
postalCode: 10857
uid: user.2
description: This is the description for Aarika Atpco.
loginShell: /bin/bash
userPassword:: e1NTSEF9T3VSS1ViQ1hLUTJFdG9aNzRnamVqSTJFTDhjRm1uaG14anAvdmc9PQ=
 =
employeeNumber: 2
initials: AOA
givenName: Aarika
pager: +1 053 688 9803
mobile: +1 279 618 3901
cn: Aarika Atpco
telephoneNumber: +1 757 462 0301
sn: Atpco
street: 00900 Maple Street
homeDirectory: /home/user.2
homePhone: +1 003 428 0962
uidNumber: 1002
mail: user.2@...
l: New Orleans
st: KS
gidNumber: 1002



On Tue, Sep 2, 2008 at 1:18 PM, Lance Vermilion <pamldap@...> wrote:

> Hmm. I don't see a single ldap packet go out for the getent passwd
> user.2 or getent -s ldap passwd user.2.
>
> On Tue, Sep 2, 2008 at 12:14 PM, Weston Rogers <wrogers@...> wrote:
>>> Is the "getent passwd user.2" suppose to query the ldap server?
>>
>> Yeah, if that doesn't work you've got a wrong binddn, or some other
>> configuration setting that is making LDAP auth not work.
>>
>> Wes
>>
>
Free embeddable forum powered by Nabble Forum Help