Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[gentoo-user] ldap client authentication

74 views
Skip to first unread message

James

unread,
Nov 3, 2010, 12:30:02 PM11/3/10
to
Folks,

I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress.

Here's the rundown of how things are configured (fairly straight forward):

- OpenDS server has the following entry (gathered directly from ldapsearch output), below. Note that clearly the LDAP server is properly configured if it's responding to an ldapsearch on the client with no problems.


ldap ~ # ldapsearch -H ldap://auth.whatever.com "objectclass=posixAccount"
dn: cn=tb,ou=it,dc=whatever,dc=com
uid: tb
initials: tb
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
givenName: Thomas
cn: tb
sn: Bellview
telephoneNumber: 333.555.3333
homeDirectory: /home/tb
uidNumber: 10001
mail: t...@whatever.com
gidNumber: 10001


- /etc/ldap.conf
base ou=it,dc=whatever,dc=com
uri ldaps://auth.whatever.com
ldap_version 3
tls_reqcert allow
pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
nss_base_passwd ou=it,dc=whatever,dc=com
nss_base_shadow ou=it,dc=whatever,dc=com
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,www-data
timelimit 5
bind_timelimit 5


- Likewise, /etc/openldap/ldap.conf
BASE   ou=it,dc=whatever,dc=com
URI     ldaps://auth.whatever.com
TLS_REQCERT allow
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never


Simple problem: authentication fails. On the CLIENT I see the following in the log files:

==> auth.log <==
Nov  3 06:26:03 s_d...@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com


On the SERVER I see the following:

[03/Nov/2010:06:27:05 -0400] CONNECT conn=314 from=10.1.1.166:44879 to=10.1.1.115:389 protocol=LDAP
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=314 op=0 msgID=1 type=SIMPLE dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=314 op=0 msgID=1 result=0 authDN="" etime=0
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=1 msgID=2 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectClass=posixAccount)(uid=tb))" attrs="uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=1 msgID=2 result=0 nentries=1 etime=1
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=2 msgID=3 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectClass=posixAccount)(uid=tb))" attrs="uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=2 msgID=3 result=0 nentries=1 etime=1
[03/Nov/2010:06:27:05 -0400] CONNECT conn=315 from=10.1.1.166:44879 to=10.1.1.115:389 protocol=LDAP
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=0 msgID=1 type=SIMPLE dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=0 msgID=1 result=0 authDN="" etime=0
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=315 op=1 msgID=2 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectclass=posixAccount)(uid=tb))" attrs="ALL"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=315 op=1 msgID=2 result=0 nentries=1 etime=0
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=2 msgID=3 type=SIMPLE dn=""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=2 msgID=3 result=0 authDN="" etime=0
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=315 reason="Client Disconnect"
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=314 reason="Client Disconnect"
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=309 reason="Client Disconnect"


Looks fine, right? Well not really. If I run an ldapsearch *exactly* as it appears in the SERVER's log, it returns the user.

ldap ~ # ldapsearch -H ldap://auth.whatever.com -b "ou=it,dc=whatever,dc=com" "(&(objectclass=posixAccount)(uid=tb))"
# extended LDIF
#
# LDAPv3
# base <ou=it,dc=whatever,dc=com> with scope subtree
# filter: (&(objectclass=posixAccount)(uid=tb))
# requesting: ALL
#

# tb, it, whatever.com
dn: cn=tb,ou=it,dc=whatever,dc=com
uid: tb
initials: tb
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
givenName: Thomas
cn: tb
sn: Bellview
telephoneNumber: 333.555.3333
homeDirectory: /home/tb
uidNumber: 10001
mail: t...@whatever.com
gidNumber: 10001

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


This has me pulling my hairs out. Clearly the manual ldapsearch works. The only thing I can think of is the "scope=wholeSubtree" or the "attrs=ALL" breaking the query; clearly the applied filters work without any issues.

Thoughts / ideas would be greatly appreciated.

-james

Stroller

unread,
Nov 3, 2010, 3:20:02 PM11/3/10
to

On 3/11/2010, at 4:25pm, James wrote:
...
I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress.

Here's the rundown of how things are configured (fairly straight forward):
...
==> auth.log <==
Nov  3 06:26:03 s_d...@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com

You've shown us all about your LDAP configuration, but nothing about your PAM configuration, or whether sshd or IMAP are configured to use PAM.

Stroller.

James

unread,
Nov 3, 2010, 3:30:02 PM11/3/10
to
Straight from the Gentoo + LDAP page.

# pam ldap stuff
auth            sufficient      pam_ldap.so use_first_pass
account         sufficient      pam_ldap.so
password        sufficient      pam_ldap.so use_authtok use_first_pass
session         optional        pam_ldap.so

-james

James

unread,
Nov 4, 2010, 12:00:02 PM11/4/10
to
Bump -- any ideas?

In a tough spot right now trying to wrap this LDAP project up and I'm stuck. :(

-james

Adam Carter

unread,
Nov 4, 2010, 6:00:02 PM11/4/10
to


On Fri, Nov 5, 2010 at 2:51 AM, James <j...@nc.rr.com> wrote:
Bump -- any ideas?

In a tough spot right now trying to wrap this LDAP project up and I'm stuck. :(

-james


You seem to be using ldap sometimes and ldaps other times in your configs. Suggest you try getting everything working with ldap first, then convert everything to ldaps (to get SSL working) once you have the application layer sorted.

James

unread,
Nov 4, 2010, 8:10:01 PM11/4/10
to
LDAP and LDAPS work fine -- as I indicated, the ldapsearch queries
work without any issues. Thus the issue is, more or less, related
directly to PAM and LDAP together.

At some point during troubleshooting I switched to LDAP simply so that
I could sniff the packets going across the wire and see what was going
on.

This is purely a pam_ldap configuration problem as far as I can tell.

Any thoughts on how to go about troubleshooting this would be greatly
appreciated.

-james

James

unread,
Nov 5, 2010, 12:50:02 AM11/5/10
to
Things just got more interesting.

I just copied my /etc/ldap.conf file over from my Gentoo box to an
Ubuntu box -- it works without a single hitch.

I'm about to rip my hair out here...any ideas on where I can start
troubleshooting this?

- openssh versions are very similar
- newer nss_ldap on gentoo
- newer pam_ldap on gentoo

Thoughts would be greatly appreciated.

-james

Ward Poelmans

unread,
Nov 5, 2010, 6:30:02 AM11/5/10
to
On Fri, Nov 5, 2010 at 05:44, James <j...@nc.rr.com> wrote:
> Things just got more interesting.
>
> I just copied my /etc/ldap.conf file over from my Gentoo box to an
> Ubuntu box -- it works without a single hitch.
>
> I'm about to rip my hair out here...any ideas on where I can start
> troubleshooting this?

Put logging of PAM to the max and start looking in your pam logs. Your
ldap seems fine.

Ward

James

unread,
Nov 5, 2010, 1:10:01 PM11/5/10
to
It seems that the LDAP is failing to work, as well, in CentOS 5 --
same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu.

What's the best way to star troubleshooting this from a PAM perspective?

I have a debug line set at the bottom of the ldap.conf file, but that
doesn't seem to be giving me enough information. Also, I've set
'debug' at the end of every line in my /etc/pam.d/system-auth file, to
no avail. Nothing is showing up in /var/log/debug -- PAM indicates
that the 'debug' keyword sends messages to syslog for processing.

Thoughts / ideas would be greatly appreciated.

Thanks!
-james

Ward Poelmans

unread,
Nov 5, 2010, 1:10:01 PM11/5/10
to
On Fri, Nov 5, 2010 at 17:41, James <j...@nc.rr.com> wrote:
> It seems that the LDAP is failing to work, as well, in CentOS 5 --
> same ldap.conf file that (a) fails in Gentoo, and (b) works in Ubuntu.
>
> What's the best way to star troubleshooting this from a PAM perspective?
>
> I have a debug line set at the bottom of the ldap.conf file, but that
> doesn't seem to be giving me enough information. Also, I've set
> 'debug' at the end of every line in my /etc/pam.d/system-auth file, to
> no avail. Nothing is showing up in /var/log/debug -- PAM indicates
> that the 'debug' keyword sends messages to syslog for processing.

adding the debug keyword to the pam module doesn't do anything but in ldap.conf:
logdir <directory>
Specifies the directory used for logging by the LDAP client
library. This feature is not supported by all client libraries.
debug <level>
Specifies the debug level used for logging by the LDAP client
library. This feature is not supported by all client libraries, and
does not apply to the nss_ldap and pam_ldap modules themselves
(debugging, if any, is configured separately and usually at compile
time).

Ward

James

unread,
Nov 5, 2010, 4:10:02 PM11/5/10
to
Yes, I have both of these options enabled:

logdir <somedir>
debug 256

The logdir is filled with empty files that, in the name of the file,
has the pid of the pam process. However, these files are empty and
they do not have anything in them.

Thoughts?

-james

Ward Poelmans

unread,
Nov 5, 2010, 5:10:02 PM11/5/10
to
On Fri, Nov 5, 2010 at 20:46, James <j...@nc.rr.com> wrote:
> The logdir is filled with empty files that, in the name of the file,
> has the pid of the pam process. However, these files are empty and
> they do not have anything in them.
>
> Thoughts?

Try putting the compile time debugging options on?

Ward

James

unread,
Nov 7, 2010, 5:10:02 PM11/7/10
to
I've enabled compile-time debug flags, to no avail.

I did some troubleshooting for several hours last night and discovered
something interesting -- the LDAP server is responding with a SUCCESS
message to the bind request, but PAM (for whatever reason) is still
denying my login request.

Here's the output of a sniffer capture between the client and the LDAP server:

bindResponse
resultCode: success (0)

The /var/log/auth.log file indicates the following:

==> auth.log <==
Nov 3 06:24:00 s_d...@auth.whatever.com sshd[11393]: error: PAM:
Authentication failure for illegal user tb from 10.9.3.153
Nov 3 06:24:00 s_d...@auth.whatever.com sshd[11393]: Failed
keyboard-interactive/pam for invalid user tb from 10.9.3.153 port
56665 ssh2
Nov 3 06:24:00 s_d...@auth.whatever.com sshd[11396]:
pam_tally2(sshd:auth): pam_get_uid; no such user


My /etc/pam.d/system-auth file is pretty much verbatim what is listed here:

http://www.gentoo.org/doc/en/ldap-howto.xml

Also, my /etc/nsswitch.conf file has "files" and "ldap" in the
appropriate places.

passwd: files ldap
shadow: files ldap
group: files ldap

Thoughts would be greatly appreciated -- I'm almost there! I just need
to figure out why PAM isn't playing nice with LDAP authentication.

-james

I'm so close I can taste it. :) Any thoughts or ideas on how to fix


this would be greatly appreciated.

0 new messages