|
»
»
»
« Return to Thread: SLES9 and pam_ldap (LDAP bind instead of search request)
Re: SLES9 and pam_ldap (LDAP bind instead of search request)
by Ralf Haferkamp
::
Rate this Message:
On Dienstag, 4. Dezember 2007, BJP wrote:
> Thanks, Ralf.
>
> You asked, How do you come to the conclusion that your current setup
> doesn't use bind?
> My answer: Not sure but this is what the LDAP server log displays:
>
[..]
> [2007-12-04 12:30:26,745] conn=3098 op=0 BIND dn="" method=0 version=3
> [2007-12-04 12:30:26,746] conn=3098 op=0 RESULT err=0 tag=0 nentries=0
> etime=0
> [2007-12-04 12:30:26,786] conn=3098 op=1 SRCH
> base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2
> filter="(&(objectclass=posixAccount)(uid=xjc864))"
> [2007-12-04 12:30:26,790] conn=3098 op=1 RESULT err=0 tag=0 nentries=0
> etime=4
>
> There is nothing in the user's BIND; all of the BINDs are for dn="", so I'm
> wondering if the pam_ldap is able to do user binding instead of password
> searching.Right. But additionally all of those search do not return a single entry (see
then "nentries=0"). Normal what pam_ldap does during login is:
- a subtree search with a filter like this:
"(&(objectclass=posixAccount)(uid=<userid>))"
to get find the DN of the user's LDAP Entry. (These are the searches that
you see above I assume.
- a bind request with the DN of the above LDAP Entry and the password that the
user entered. As the Search didn't find any object this does not happen in
your case.
There can be various reasons why the searches don't find the user entries
(broken client/server configuration, access controll restrictions, the user's
do not exist in LDAP, ...). You should try to debug and fix this before you
try to get pam_ldap working.
> Here is my /etc/pam.d/sshd file:
> ##############################################
> # /etc/pam.d/sshd
> ##############################################
> #%PAM-1.0
> auth required pam_unix2.so # set_secrpc
> auth required pam_nologin.so
> auth required pam_env.so
> account required pam_unix2.so
> account required pam_nologin.so
> password required pam_pwcheck.so
> password required pam_unix2.so use_first_pass use_authtok
> session required pam_unix2.so none # trace or debug
> session required pam_limits.so
> # Enable the following line to get resmgr support for
> # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
> #session optional pam_resmgr.so fake_ttyname
> auth sufficient pam_ldap.so
> account sufficient pam_ldap.so
> password required pam_ldap.so
> session required pam_mkhomedir.so skel=/etc/skel umask=0022
This config looks pretty broken to me (having "required pam_unix"
before "sufficient pam_ldap" doesn't seem to make sense to me). If you really
want to setup pam_ldap by yourself, you should probably read through the PAM
Admin Guide and the pam_ldap examples.
--
Ralf
> Thanks, Ralf.
>
> You asked, How do you come to the conclusion that your current setup
> doesn't use bind?
> My answer: Not sure but this is what the LDAP server log displays:
>
[..]
> [2007-12-04 12:30:26,745] conn=3098 op=0 BIND dn="" method=0 version=3
> [2007-12-04 12:30:26,746] conn=3098 op=0 RESULT err=0 tag=0 nentries=0
> etime=0
> [2007-12-04 12:30:26,786] conn=3098 op=1 SRCH
> base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2
> filter="(&(objectclass=posixAccount)(uid=xjc864))"
> [2007-12-04 12:30:26,790] conn=3098 op=1 RESULT err=0 tag=0 nentries=0
> etime=4
>
> There is nothing in the user's BIND; all of the BINDs are for dn="", so I'm
> wondering if the pam_ldap is able to do user binding instead of password
> searching.
then "nentries=0"). Normal what pam_ldap does during login is:
- a subtree search with a filter like this:
"(&(objectclass=posixAccount)(uid=<userid>))"
to get find the DN of the user's LDAP Entry. (These are the searches that
you see above I assume.
- a bind request with the DN of the above LDAP Entry and the password that the
user entered. As the Search didn't find any object this does not happen in
your case.
There can be various reasons why the searches don't find the user entries
(broken client/server configuration, access controll restrictions, the user's
do not exist in LDAP, ...). You should try to debug and fix this before you
try to get pam_ldap working.
> Here is my /etc/pam.d/sshd file:
> ##############################################
> # /etc/pam.d/sshd
> ##############################################
> #%PAM-1.0
> auth required pam_unix2.so # set_secrpc
> auth required pam_nologin.so
> auth required pam_env.so
> account required pam_unix2.so
> account required pam_nologin.so
> password required pam_pwcheck.so
> password required pam_unix2.so use_first_pass use_authtok
> session required pam_unix2.so none # trace or debug
> session required pam_limits.so
> # Enable the following line to get resmgr support for
> # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
> #session optional pam_resmgr.so fake_ttyname
> auth sufficient pam_ldap.so
> account sufficient pam_ldap.so
> password required pam_ldap.so
> session required pam_mkhomedir.so skel=/etc/skel umask=0022
This config looks pretty broken to me (having "required pam_unix"
before "sufficient pam_ldap" doesn't seem to make sense to me). If you really
want to setup pam_ldap by yourself, you should probably read through the PAM
Admin Guide and the pam_ldap examples.
--
Ralf
« Return to Thread: SLES9 and pam_ldap (LDAP bind instead of search request)
| Free Forum Powered by Nabble | Forum Help |