LDAP login issue
3,109 views
Skip to first unread message
Mirage74
Dec 7, 2016, 4:47:50 AM12/7/16
to CoreOS User
I'm trying to connect my CoreOS machine to my LDAP server.
I get an answer when i use the command 'id'. However, I get the following error when i trying to login with my user.
Dec 06 16:35:04 localhost systemd[1]: Started OpenSSH per-connection server daemon (x.x.x.x:60759).
Dec 06 16:35:04 localhost sshd[1637]: PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot open shared object file: No such file or directoryHere is my sssd configuration:
cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, ssh
domains = LDAP
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[nss]
[domain/LDAP]
debug_level = 5
id_provider = ldap
auth_provider = ldap
ldap_schema = ipa
ldap_search_base = dc=mydomain,dc=co,dc=il
ldap_uri = ldap://ldap21v.mydomain.co.il
case_sensitive = falseHere is my PAM configuration:
cat /etc/pam.d/sshd auth sufficient pam_unix.soauth sufficient pam_ldap.so minimum_uid=1000 use_first_passauth required pam_deny.so
account required pam_unix.soaccount sufficient pam_ldap.so minimum_uid=1000account required pam_permit.so
session required pam_unix.sosession optional pam_ldap.so minimum_uid=1000
password sufficient pam_unix.so nullok md5 shadow use_authtokpassword sufficient pam_ldap.so minimum_uid=1000 try_first_passpassword required pam_deny.soPlease advise
Brandon Philips
Dec 7, 2016, 1:20:56 PM12/7/16
to Mirage74, CoreOS User, Matthew Garrett
Hello Mirage-
I don't think you need to edit the /etc/pam.d to add pam_ldap. Where did you find those instructions?
Thank You,
Brandon
--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Omri W
Dec 7, 2016, 2:20:03 PM12/7/16
to CoreOS User, omriwo...@gmail.com, mj...@coreos.com
Hi Brandon,
I don't exactly remember. I didn't find good instruction how to setup LDAP in CoreOS, so these instructions are probably related to other Linux distribution. I guess that nothing really read that configuration file, so it's like i don't have any configuration. Isn't it?
I desperately need help with that. I stuck with that too much time :(
Since i get an answer for 'id myuser', i guess that i have some kind of connection with my LDAP server, but still not able to login due to the error i've add to my provisos message.
What is the right configuration? (the default one. I don't have any unique requirement).
The following instructions doesn't works for me:
Mirage74
Dec 8, 2016, 5:41:16 AM12/8/16
to CoreOS User, omriwo...@gmail.com, mj...@coreos.com
Brandon,
I've found the following conversation:
It seems that my issue related to PAM, and as far as i understood from that conversation, PAM isn't supported in CoreOS. Isn't it?
Please advise.
Michael Marineau
Dec 8, 2016, 3:26:36 PM12/8/16
to Mirage74, CoreOS User, Matthew Garrett
We do support PAM these days, but we do now ship pam_ldap as sssd
handles that functionality and the PAM configuration we ship is ready
to use sssd as-is. So to enable LDAP you only should need to configure
and start sssd as documented at
https://coreos.com/os/docs/latest/sssd.html
Perhaps those instructions didn't work because of the bad pam_ldap
config you added? Be sure to remove that before continuing with sssd.
handles that functionality and the PAM configuration we ship is ready
to use sssd as-is. So to enable LDAP you only should need to configure
and start sssd as documented at
https://coreos.com/os/docs/latest/sssd.html
Perhaps those instructions didn't work because of the bad pam_ldap
config you added? Be sure to remove that before continuing with sssd.
Matthew Garrett
Dec 8, 2016, 5:11:24 PM12/8/16
to Michael Marineau, Mirage74, CoreOS User
Yes, it sounds like the configuration is working correctly since id is
working. Just delete the reference to pam_ldap.
working. Just delete the reference to pam_ldap.
Mirage74
Dec 11, 2016, 5:53:38 AM12/11/16
to CoreOS User, michael....@coreos.com, omriwo...@gmail.com
It'a still not working.
Here are my current PAM configuration after removing pam_ldap:
journalctl -f
Dec 11 09:56:17 localhost systemd[1]: Started OpenSSH per-connection server daemon (x.x.x.x:64704).
Dec 11 09:56:32 localhost sshd[1180]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=myuser
Dec 11 09:56:34 localhost sshd[1178]: PAM: Authentication failure for myuser from x.x.x.xcat /etc/pam.d/sshd
auth sufficient pam_unix.so
auth required pam_deny.so
account required pam_unix.so
account required pam_permit.so
session required pam_unix.so
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.soPlease advise
Michael Marineau
Dec 11, 2016, 2:55:06 PM12/11/16
to Mirage74, coreos-user
Delete your custom PAM configuration in /etc. The default PAM config under /usr enables sssd.
Mirage74
Dec 12, 2016, 5:31:20 AM12/12/16
to CoreOS User, omriwo...@gmail.com
Hi Michael,
I've deleted the configuration file in etc, as you suggested, and i still not able to login. Here are the logs:
Dec 12 09:33:07 localhost sshd[3298]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=myuser
Dec 12 09:33:07 localhost sshd[3298]: pam_sss(sshd:auth): received for user myuser: 7 (Authentication failure)
Dec 12 09:33:11 localhost sshd[3298]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=myuser
Dec 12 09:33:14 localhost sshd[3296]: PAM: Authentication failure for myuser from x.x.x.xPlease advise.
Mirage74
Dec 15, 2016, 4:43:22 PM12/15/16
to CoreOS User, omriwo...@gmail.com
Still need help with this. Anyone?
Brandon Philips
Dec 15, 2016, 4:48:56 PM12/15/16
to Mirage74, CoreOS User, Michael Marineau
Are there logs from your LDAP server you can get access to?
Mirage74
Dec 15, 2016, 4:56:02 PM12/15/16
to CoreOS User, omriwo...@gmail.com, michael....@coreos.com
Yes, i can access to the server with a local user.
I posted to log from sssd two messages above. I can post any other logs if needed.
Brandon Philips
Dec 15, 2016, 6:18:58 PM12/15/16
to Mirage74, CoreOS User, michael....@coreos.com
I mean logs from the LDAP server to confirm you are getting the LDAP query you expect out of sssd.
Michael Marineau
Dec 15, 2016, 6:31:26 PM12/15/16
to Brandon Philips, Mirage74, coreos-user
I just remembered an issue that isn't reflected in our short documentation. Out of principal sssd refuses to authenticate over insecure connections while it will let NSS lookups. So be sure to use an ldaps:// URL I stead of plain ldap. We should add that note to the doc and change the example to include typical certificate configuration options.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user+unsubscribe@googlegroups.com.
Ivan
Dec 19, 2016, 7:32:21 PM12/19/16
to CoreOS User, brandon...@coreos.com, omriwo...@gmail.com
Could you post sssd_LDAP logs for "sudo su - myuser" from CoreOS instance?
Tarikur Rahaman
Nov 25, 2017, 12:48:00 AM11/25/17
to CoreOS User
My sssd configuration is working perfectly but unable to get sudo access.
calico-02 ~ # sudo su - tarikur.rahaman
Update Strategy: No Reboots
tarikur.rahaman@calico-02 ~ $ sudo -s
Password:
tarikur.rahaman is not in the sudoers file. This incident will be reported.
Reply all
Reply to author
Forward
0 new messages