[KLUG Members] making a linux machine auth against an ldap server.
Tyler Haske
dvorak.typist at gmail.com
Thu Nov 10 00:33:48 EST 2005
Not working, I'll come back to it tommorrow.
Is there a way to tell what pam_ldap.so is doing?
tried tail -f /var/log/auth, just some stuff about the last module not
working. I have account, auth, password, and session filled with
sufficient pam_ldap.so as the first hit.
I have no idea if /etc/pam_ldap.conf is close to correct.
-----------------------------
###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure to configure this file
#
# @(#)$Id: ldap.conf,v 1.36 2005/03/23 08:29:59 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit)
host dir.wmich.edu
# The distinguished name of the search base.
base ou=people,o=wmich.edu,dc=wmich,dc=edu
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn uid=oitlabs,ou=special,ou=people,o=wmich.edu,dc=wmich,dc=edu
# The credentials to bind with.
# Optional: default is no credential.
bindpw ********
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=net
# The port.
# Optional: default is 389.
port 389
# The search scope.
scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
pam_filter objectclass=uid
# The user ID attribute (defaults to uid)
pam_login_attribute wmuuid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# If you are using XAD, you can set pam_password
# to racf, ad, or exop. Make sure that you have
# SSL enabled.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password crypt
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
pam_password clear_remove_old
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change
your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=padl,dc=com?one
#nss_base_shadow ou=People,dc=padl,dc=com?one
#nss_base_group ou=Group,dc=padl,dc=com?one
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
# attribute/objectclass mapping
# Syntax:
nss_map_attribute uid wmuuid #nss_map_attribute rfc2307attribute
mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer no
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
thanks again. good night for now.
Adam Tauno Williams wrote:
>>>>its a sun ONE directory SASL GSSAPI. :).
>>>
>>>Ok. Is your machine/workstation part of the Kerberos domain?
>>
>>I have no idea.
>
>
> Then we will assume not.
>
>
>>I'm told kerberos is _bad_.
>
>
> Rubbish, Kerberos V is amazing technology and has been adopted by EVERY
> modern platform including M$-Windows.
>
>
>>I was also told that the
>>whole point of doing ldap was cause it was easier than doing kerberos.
>
>
> The two things are not really the same thing at all (apples & oranges),
> although they can both be used to perform authentication. Kerberos and
> LDAP fit *VERY* nicely together.
>
>
>>>>I can't get anonymous queries working. I've been using a DN to do queries.
>>>>ldapsearch -H ldap://dir.wmich.edu -D
>>>>uid=oitlabs,ou=special,ou=people,o=wmich.edu,dc=wmich,dc=edu -W -x -b
>>>>ou=people,o=wmich.edu,dc=wmich,dc=edu -s sub 'uid=*******'
>>>
>>>Well, simple binds seem to be working. I assume the oitlabs is a
>>>quasi-generic context used for searching the DSA to locate the uid (or
>>>wmuuid)?
>>
>>oitlabs is part of the DN used to bind.,
>>the context used to search is ou=people,o=wmich.edu,dc=wmich,dc=edu
>>uid=UNIFIED_LOGIN_NAME wmuuid
>>returning the users DN to bind against the ldap.
>>mine is
>>DN: wmuUID=SOME_SUCH,ou=people,o=wmich.edu,dc=wmich,dc=edu
>>then they are supposed to bind with that and THEIR password :)
>
>
> Right, this all sounds normal and very RFC2307ish.
>
>
>> Have you set the binddn/bindpw in /etc/ldap.conf to this DN
>>
>>>and secret?
>>
>>Yes, its hard to test with all the requisite files being incorrect/correct.
>
>
> This looks like it should pretty much work out of the box. What
> specific error messages are you seeing when trying to authenticate.
>
>
>> Depending on what a user object looks like you probably
>>
>>>need to adjust pam_filter, pam_login_attribute, and do some attribute
>>>mapping. For example add "nss_map_attribtue uid wmuuid" to make the uid
>>>value come from the wmuuid atribute. I've never used a Sun ONE
>>>directory server so I don't know what the schema looks like, I'd assume
>>>it contains information at least equivalent to the schema provided by
>>>RFC2307.
>>>Is the server providing a posixAccount for accounts? Or are you going
>>>to use PAM for authentication but use the local files for NSS? (not
>>>using the LDAP DSA as an NSS source).
>>
>>the posixAccount field is there, but I'm not sure if thats set up or
>>not, I'm going to worry about that next. I'll do local files for users
>>for now.
>
>
> setup? Either the object returned by the search is a posixAccount or it
> isn't. Does the object returned contain a "uid" attribute in addition
> to the wmuuid attribute?
>
>
>>>>that query with the correct password returns the entry I want, inside
>>>>of the entry there is a wmuuid field that has the username your
>>>>SUPPOSED to connect to the ldap server with, to authenticate.
>>>>when I try using TLS or SASL I get this.
>>>>error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>>>>verify failed
>>>
>>>You aren't even getting to SASL then. Try setting "TLS_REQCERT never"
>>>in /etc/openldap/ldap.conf.
>>>Can you acquire Kerberos tickets?
>>
>>No idea what a kerberos ticket is.
>
>
> Thats ok, it doesn't look like you need one.
>
>
>>did you know if you look hard enough for ldap stuff, you stuble across a
>>huge 500 slide presentation?
>
>
> Yep, that is because LDAP is a generic tool used to solve an enormous
> array of problems.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
>
More information about the Members
mailing list