RE: SLES9 and pam_ldap (LDAP bind instead of search request)

by BJP :: Rate this Message:

RE: [pamldap] SLES9 and pam_ldap (LDAP bind instead of search request)

Hi Wade,

I SUCCESSFULLY ran the ldapsearch (you gave me) using the same password that I've always entered and was able to get a lot of information back...

flcsdev1-2:/ # ldapsearch -h ldaptest.mot.com -b ou=people,ou=intranet,dc=motorola,dc=com -D motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com -W -v -x motguid=XJC864

ldap_initialize( ldap://ldaptest.mot.com:390 )
Enter LDAP Password: {entered password here}
filter: motguid=XJC864
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <ou=people,ou=intranet,dc=motorola,dc=com> with scope sub
# filter: motguid=XJC864
# requesting: ALL
#

# XJC864, people, intranet, motorola.com
dn: motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com
...
mail: XJC864@...
uid: XJC864
motGUID: XJC864
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: motIntranetPerson
objectClass: motapplications
objectClass: motaccount
...

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
flcsdev1-2:/ #

Here is the LDAP server log messages from the above CLI….

[snip]
[2007-12-06 10:23:39,198] conn=3940 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-06 10:23:39,201] conn=3940 op=0 BIND dn="motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com" method=0 version=3
[2007-12-06 10:23:39,256] conn=3940 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:23:39,297] conn=3940 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(motguid=XJC864)"
[2007-12-06 10:23:39,358] conn=3940 op=1 RESULT err=0 tag=0 nentries=1 etime=62
[2007-12-06 10:23:39,438] conn=3940 op=2 UNBIND
[2007-12-06 10:23:39,438] conn=3940 op=2 fd=0 closed - U1
[snap]

I compared to this LDAP log output to log output when ssh-ing into my SLES9 server….

[snip]

[2007-12-06 10:26:51,417] conn=3942 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-06 10:26:51,420] conn=3942 op=0 BIND dn="" method=0 version=3
[2007-12-06 10:26:51,421] conn=3942 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:26:51,461] conn=3942 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:26:51,482] conn=3942 op=1 RESULT err=0 tag=0 nentries=0 etime=22

[snap]

Using keyboard-interactive authentication.
LDAP Password:
Access denied
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
LDAP Password:
Access denied
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
LDAP Password:
Last login: Wed Dec 5 16:26:42 2007 from 173.52.12.55
xjc864@flcsdev1-2:~>
[snip]

[2007-12-06 10:28:13,280] conn=3942 op=2 BIND dn="" method=0 version=3
[2007-12-06 10:28:13,281] conn=3942 op=2 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:13,321] conn=3942 op=3 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:13,341] conn=3942 op=3 RESULT err=0 tag=0 nentries=0 etime=19
[2007-12-06 10:28:15,711] conn=3943 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-06 10:28:15,714] conn=3943 op=0 BIND dn="" method=0 version=3
[2007-12-06 10:28:15,715] conn=3943 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:15,755] conn=3943 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:15,760] conn=3943 op=1 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-06 10:28:17,288] conn=3943 op=2 BIND dn="" method=0 version=3
[2007-12-06 10:28:17,289] conn=3943 op=2 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:17,329] conn=3943 op=3 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:17,334] conn=3943 op=3 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-06 10:28:19,712] conn=3944 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-06 10:28:19,714] conn=3944 op=0 BIND dn="" method=0 version=3
[2007-12-06 10:28:19,715] conn=3944 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:19,756] conn=3944 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:19,761] conn=3944 op=1 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-06 10:28:21,200] conn=3944 op=2 BIND dn="" method=0 version=3
[2007-12-06 10:28:21,201] conn=3944 op=2 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:21,241] conn=3944 op=3 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:21,246] conn=3944 op=3 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-06 10:28:21,287] conn=3944 op=4 BIND dn="" method=0 version=3
[2007-12-06 10:28:21,288] conn=3944 op=4 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:21,329] conn=3944 op=5 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:21,333] conn=3944 op=5 RESULT err=0 tag=0 nentries=0 etime=4
[2007-12-06 10:28:21,374] conn=3944 op=6 BIND dn="" method=0 version=3
[2007-12-06 10:28:21,374] conn=3944 op=6 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:21,416] conn=3944 op=7 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:21,420] conn=3944 op=7 RESULT err=0 tag=0 nentries=0 etime=5

[snap]

Looks like when ssh-ing into SLES9 server the BIND dn="" (it's empty) with filter="(&(objectclass=posixAccount)(uid=xjc864))",

but ldapsearch gives BIND dn="motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com" with filter="(motguid=XJC864)".

Is there something in my /etc/ldap.conf that needs to be changed? Here is what it looks like:

#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#
host    10.0.42.17:390
base    ou=people,ou=intranet,dc=motorola,dc=com
ldap_version    3
bind_policy             soft
ssl                     no

pam_check_host_attr yes
pam_login_attribute uid

pam_password clear

pam_filter objectclass=posixAccount
#pam_filter objectclass=motaccount

nss_map_attribute uniqueMember member
nss_base_passwd ou=people,ou=intranet,dc=motorola,dc=com
nss_base_shadow ou=people,ou=intranet,dc=motorola,dc=com
nss_base_group ou=people,ou=intranet,dc=motorola,dc=com

Thank you very much,
BJP

-----Original Message-----
From: Wade Fitzpatrick [Wade.Fitzpatrick@...]
Sent: Wednesday, December 05, 2007 7:52 PM
To: Pantejo Barbara-XJC864
Cc: pamldap@...
Subject: Re: [pamldap] SLES9 and pam_ldap (LDAP bind instead of search request)

So the user exists but the password is wrong. What happens when you run

$> ldapsearch -H ldap://server -b ou=people,ou=intranet,dc=motorola,dc=com -D motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com -W -v -x motguid=XJC864

Until you get that working, trying it with pam_ldap will be fruitless.

Wade.

On Wed, 5 Dec 2007, BJP wrote:

>
> Ralf,
>
> I changed the /etc/pam.d/sshd file to look like this:
>
>   #%PAM-1.0
>   auth            sufficient      pam_ldap.so
>   auth     required       pam_unix2.so    # set_secrpc
>   auth     required       pam_nologin.so
>   auth     required       pam_env.so
>   #
>   account         sufficient      pam_ldap.so
>   account required       pam_unix2.so
>   account required       pam_nologin.so
>   #
>   password        required        pam_ldap.so
>   password required       pam_pwcheck.so
>   password required       pam_unix2.so    use_first_pass use_authtok
>   #
>   session required       pam_unix2.so    none # trace or debug
>   session required       pam_limits.so
>
> and removed "pam_filter   objectclass=posixAccount". Now I am getting
> err=49 (LDAP_INVALID_CREDENTIALS):
>
>   [2007-12-05 15:25:45,562] conn=3635 fd=0 slot=0 connection from
> 145.2.132.126 to 10.0.42.17
>   [2007-12-05 15:25:45,565] conn=3635 op=0 BIND dn="" method=0 version=3
>   [2007-12-05 15:25:45,565] conn=3635 op=0 RESULT err=0 tag=0
> nentries=0 etime=0
>   [2007-12-05 15:25:45,605] conn=3635 op=1 SRCH
> base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2
> filter="(uid=xjc864)"
>   [2007-12-05 15:25:45,658] conn=3635 op=1 RESULT err=0 tag=0
> nentries=1
> etime=52
>   [2007-12-05 15:25:45,698] conn=3635 op=2 BIND
> dn="motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com" method=0
> version=3
>   [2007-12-05 15:25:45,704] conn=3635 op=2 RESULT err=49 tag=0
> nentries=0 etime=0
>   [2007-12-05 15:25:45,744] conn=3635 op=3 BIND dn="" method=0 version=3
>   [2007-12-05 15:25:45,745] conn=3635 op=3 RESULT err=0 tag=0
> nentries=0 etime=0
>
> But I cannot login at all now and have to put back "pam_filter
> objectclass=posixAccount" to be able to login to my SLES9 server. Can
> you shed any more light on this? Do you think it has to do with the
> /etc/pam.d/sshd file?
>
> Thanks,
> BJP
>
> --
> View this message in context:
> http://www.nabble.com/SLES9-and-pam_ldap-%28LDAP-bind-instead-of-searc
> h-request%29-tf4899988.html#a14181177
> Sent from the PAM LDAP mailing list archive at Nabble.com.
>
>

« Return to Thread: SLES9 and pam_ldap (LDAP bind instead of search request)