SLES9 and pam_ldap (LDAP bind instead of search request)

How can one authenticate on Suse Linux 9.3 using LDAP bind instead of search requests?

The following post in 2004:

http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2004-06/0258.html

was never replied to online and wondered if anyone has the answer. I am challenged with this task as well.

Thank you for any feedback,
BJP

On Donnerstag, 29. November 2007, BJP wrote: That was probably never answered, because it is pretty bogus :). pam_ldap does
always do authentication by a LDAP Bind. It does never read
the "userPassword" from the LDAP server for authentication.
The problem described in the above post might happen, because nss_ldap (!) is
able to read the "userPassword" hash from the server and the pam_unix or
pam_unix2 (!) takes that hash to verify it against the password typed in by
the user. If you have such a problem you can easily verify it by doing
a "getent passwd <ldapuser>" on your system. If that returns the password
hash amongst its output you should adjust your LDAP server's access controls.

--
Ralf

I am VERY new to LDAP on SLES9, with little to no training, so can someone help with which configuration files need to be configured and daemons (re)started?  Basically, a step-by-step procedure to connect to a Solaris LDAP server from my SLES9 SP3 server using "bind" instead of "search" request?

Will going into YaST2, then go into Network Services, then LDAP Client Configuration be a quick and easy answer?  I actually prefer to know what configuration files are being configured and daemons restarted, so would appreciate the details.

Thank you very much,
BJP

On Montag, 3. Dezember 2007, BJP wrote:
> I am VERY new to LDAP on SLES9, with little to no training, so can someone
> help with which configuration files need to be configured and daemons
> (re)started?  Basically, a step-by-step procedure to connect to a Solaris
> LDAP server from my SLES9 SP3 server using "bind" instead of "search"
> request?
How do you come to the conclusion that your current setup doesn't use bind?

> Will going into YaST2, then go into Network Services, then LDAP Client
> Configuration be a quick and easy answer?
Yes. That should work.

> I actually prefer to know what configuration files are being configured and
> daemons restarted, so would appreciate the details.
Configfiles:

/etc/nsswitch.conf
/etc/ldap.conf
/etc/pam.d/* or /etc/security/pam_unix2.conf

Daemons to restart: at least nscd, probably others that need to be made aware
of the changed pam configuration (e.g. sshd, xdm).

--
Ralf

Thanks, Ralf.

You asked, How do you come to the conclusion that your current setup doesn't use bind?
My answer: Not sure but this is what the LDAP server log displays:

[2007-12-04 12:29:25,191] conn=3095 fd=0 slot=0 connection from 10.0.42.17 to 10.0.42.17
[2007-12-04 12:29:25,198] conn=3095 op=0 SRCH base="cn=schema" scope=0 filter="(cn=schema)"
[2007-12-04 12:29:25,400] conn=3095 op=0 RESULT err=0 tag=0 nentries=1 etime=202
[2007-12-04 12:29:25,400] conn=3095 op=1 UNBIND
[2007-12-04 12:29:25,403] conn=3095 op=1 fd=0 closed - U1
[2007-12-04 12:30:11,336] conn=3096 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-04 12:30:11,339] conn=3096 op=0 BIND dn="" method=0 version=3
[2007-12-04 12:30:11,340] conn=3096 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-04 12:30:11,381] conn=3096 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=poc))"
[2007-12-04 12:30:11,413] conn=3096 op=1 RESULT err=0 tag=0 nentries=0 etime=33
[2007-12-04 12:30:11,453] conn=3096 op=2 UNBIND
[2007-12-04 12:30:11,453] conn=3096 op=2 fd=0 closed - U1
[2007-12-04 12:30:17,092] conn=3097 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-04 12:30:17,094] conn=3097 op=0 BIND dn="" method=0 version=3
[2007-12-04 12:30:17,095] conn=3097 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-04 12:30:17,135] conn=3097 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-04 12:30:17,140] conn=3097 op=1 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-04 12:30:23,356] conn=3097 op=2 BIND dn="" method=0 version=3
[2007-12-04 12:30:23,356] conn=3097 op=2 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-04 12:30:23,397] conn=3097 op=3 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-04 12:30:23,401] conn=3097 op=3 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-04 12:30:26,742] conn=3098 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-04 12:30:26,745] conn=3098 op=0 BIND dn="" method=0 version=3
[2007-12-04 12:30:26,746] conn=3098 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-04 12:30:26,786] conn=3098 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-04 12:30:26,790] conn=3098 op=1 RESULT err=0 tag=0 nentries=0 etime=4

There is nothing in the user's BIND; all of the BINDs are for dn="", so I'm wondering if the pam_ldap is able to do user binding instead of password searching.

Here is my /etc/pam.d/sshd file:
##############################################
# /etc/pam.d/sshd
##############################################
#%PAM-1.0
auth          required       pam_unix2.so    # set_secrpc
auth          required       pam_nologin.so
auth          required       pam_env.so
account     required       pam_unix2.so
account     required       pam_nologin.so
password   required       pam_pwcheck.so
password   required       pam_unix2.so    use_first_pass use_authtok
session      required       pam_unix2.so    none # trace or debug
session      required       pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session  optional      pam_resmgr.so fake_ttyname
auth          sufficient      pam_ldap.so
account     sufficient      pam_ldap.so
password   required        pam_ldap.so
session      required        pam_mkhomedir.so skel=/etc/skel umask=0022

Any suggestions would be greatly appreciated,
BJP

On Dienstag, 4. Dezember 2007, BJP wrote:
> Thanks, Ralf.
>
> You asked, How do you come to the conclusion that your current setup
> doesn't use bind?
> My answer: Not sure but this is what the LDAP server log displays:
>
[..] Right. But additionally all of those search do not return a single entry (see
then "nentries=0"). Normal what pam_ldap does during login is:
- a subtree search with a filter like this:
  "(&(objectclass=posixAccount)(uid=<userid>))"
  to get find the DN of the user's LDAP Entry. (These are the searches that
  you see above I assume.
- a bind request with the DN of the above LDAP Entry and the password that the
  user entered. As the Search didn't find any object this does not happen in
  your case.

There can be various reasons why the searches don't find the user entries
(broken client/server configuration, access controll restrictions, the user's
do not exist in LDAP, ...). You should try to debug and fix this before you
try to get pam_ldap working.

This config looks pretty broken to me (having "required pam_unix"
before "sufficient pam_ldap" doesn't seem to make sense to me). If you really
want to setup pam_ldap by yourself, you should probably read through the PAM
Admin Guide and the pam_ldap examples.

--
Ralf

Ralf,

I changed the /etc/pam.d/sshd file to look like this:

   #%PAM-1.0
   auth            sufficient      pam_ldap.so
   auth     required       pam_unix2.so    # set_secrpc
   auth     required       pam_nologin.so
   auth     required       pam_env.so
   #
   account         sufficient      pam_ldap.so
   account  required       pam_unix2.so
   account  required       pam_nologin.so
   #
   password        required        pam_ldap.so
   password required       pam_pwcheck.so
   password required       pam_unix2.so    use_first_pass use_authtok
   #
   session  required       pam_unix2.so    none # trace or debug
   session  required       pam_limits.so

and removed "pam_filter   objectclass=posixAccount".  Now I am getting err=49 (LDAP_INVALID_CREDENTIALS):

   [2007-12-05 15:25:45,562] conn=3635 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
   [2007-12-05 15:25:45,565] conn=3635 op=0 BIND dn="" method=0 version=3
   [2007-12-05 15:25:45,565] conn=3635 op=0 RESULT err=0 tag=0 nentries=0 etime=0
   [2007-12-05 15:25:45,605] conn=3635 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(uid=xjc864)"
   [2007-12-05 15:25:45,658] conn=3635 op=1 RESULT err=0 tag=0 nentries=1 etime=52
   [2007-12-05 15:25:45,698] conn=3635 op=2 BIND dn="motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com" method=0 version=3
   [2007-12-05 15:25:45,704] conn=3635 op=2 RESULT err=49 tag=0 nentries=0 etime=0
   [2007-12-05 15:25:45,744] conn=3635 op=3 BIND dn="" method=0 version=3
   [2007-12-05 15:25:45,745] conn=3635 op=3 RESULT err=0 tag=0 nentries=0 etime=0

But I cannot login at all now and have to put back "pam_filter  objectclass=posixAccount" to be able to login to my SLES9 server.  Can you shed any more light on this?  Do you think it has to do with the /etc/pam.d/sshd file?

Thanks,
BJP

Hi Wade,

I SUCCESSFULLY ran the ldapsearch (you gave me) using the same password that I've always entered and was able to get a lot of information back...

flcsdev1-2:/ # ldapsearch -h ldaptest.mot.com -b ou=people,ou=intranet,dc=motorola,dc=com -D motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com -W -v -x motguid=XJC864

ldap_initialize( ldap://ldaptest.mot.com:390 )
Enter LDAP Password:  {entered password here}
filter: motguid=XJC864
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <ou=people,ou=intranet,dc=motorola,dc=com> with scope sub
# filter: motguid=XJC864
# requesting: ALL
#

# XJC864, people, intranet, motorola.com
dn: motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com
...
mail: XJC864@...
uid: XJC864
motGUID: XJC864
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: motIntranetPerson
objectClass: motapplications
objectClass: motaccount
...

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
flcsdev1-2:/ #

Here is the LDAP server log messages from the above CLI….

[snip]
[2007-12-06 10:23:39,198] conn=3940 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-06 10:23:39,201] conn=3940 op=0 BIND dn="motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com" method=0 version=3
[2007-12-06 10:23:39,256] conn=3940 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:23:39,297] conn=3940 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(motguid=XJC864)"
[2007-12-06 10:23:39,358] conn=3940 op=1 RESULT err=0 tag=0 nentries=1 etime=62
[2007-12-06 10:23:39,438] conn=3940 op=2 UNBIND
[2007-12-06 10:23:39,438] conn=3940 op=2 fd=0 closed - U1
[snap]

I compared to this LDAP log output to log output when ssh-ing into my SLES9 server….

login as: xjc864
Using keyboard-interactive authentication.
Password:

[snip]

[2007-12-06 10:26:51,417] conn=3942 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-06 10:26:51,420] conn=3942 op=0 BIND dn="" method=0 version=3
[2007-12-06 10:26:51,421] conn=3942 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:26:51,461] conn=3942 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:26:51,482] conn=3942 op=1 RESULT err=0 tag=0 nentries=0 etime=22

[snap]

Using keyboard-interactive authentication.
LDAP Password:
Access denied
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
LDAP Password:
Access denied
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
LDAP Password:
Last login: Wed Dec  5 16:26:42 2007 from 173.52.12.55
xjc864@flcsdev1-2:~>
        [snip]

[2007-12-06 10:28:13,280] conn=3942 op=2 BIND dn="" method=0 version=3
[2007-12-06 10:28:13,281] conn=3942 op=2 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:13,321] conn=3942 op=3 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:13,341] conn=3942 op=3 RESULT err=0 tag=0 nentries=0 etime=19
[2007-12-06 10:28:15,711] conn=3943 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-06 10:28:15,714] conn=3943 op=0 BIND dn="" method=0 version=3
[2007-12-06 10:28:15,715] conn=3943 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:15,755] conn=3943 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:15,760] conn=3943 op=1 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-06 10:28:17,288] conn=3943 op=2 BIND dn="" method=0 version=3
[2007-12-06 10:28:17,289] conn=3943 op=2 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:17,329] conn=3943 op=3 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:17,334] conn=3943 op=3 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-06 10:28:19,712] conn=3944 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-06 10:28:19,714] conn=3944 op=0 BIND dn="" method=0 version=3
[2007-12-06 10:28:19,715] conn=3944 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:19,756] conn=3944 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:19,761] conn=3944 op=1 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-06 10:28:21,200] conn=3944 op=2 BIND dn="" method=0 version=3
[2007-12-06 10:28:21,201] conn=3944 op=2 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:21,241] conn=3944 op=3 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:21,246] conn=3944 op=3 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-06 10:28:21,287] conn=3944 op=4 BIND dn="" method=0 version=3
[2007-12-06 10:28:21,288] conn=3944 op=4 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:21,329] conn=3944 op=5 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:21,333] conn=3944 op=5 RESULT err=0 tag=0 nentries=0 etime=4
[2007-12-06 10:28:21,374] conn=3944 op=6 BIND dn="" method=0 version=3
[2007-12-06 10:28:21,374] conn=3944 op=6 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-06 10:28:21,416] conn=3944 op=7 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-06 10:28:21,420] conn=3944 op=7 RESULT err=0 tag=0 nentries=0 etime=5

[snap]

Looks like when ssh-ing into SLES9 server the BIND dn="" (it's empty)  with    filter="(&(objectclass=posixAccount)(uid=xjc864))",

but ldapsearch gives BIND dn="motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com" with   filter="(motguid=XJC864)".

Is there something in my /etc/ldap.conf that needs to be changed? Here is what it looks like:

#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#
host    10.0.42.17:390
base    ou=people,ou=intranet,dc=motorola,dc=com
ldap_version    3
bind_policy             soft
ssl                     no

pam_check_host_attr     yes
pam_login_attribute     uid

pam_password            clear

pam_filter              objectclass=posixAccount
#pam_filter             objectclass=motaccount

nss_map_attribute       uniqueMember member
nss_base_passwd ou=people,ou=intranet,dc=motorola,dc=com
nss_base_shadow ou=people,ou=intranet,dc=motorola,dc=com
nss_base_group  ou=people,ou=intranet,dc=motorola,dc=com

Thank you very much,
BJP

-----Original Message-----
From: Wade Fitzpatrick [Wade.Fitzpatrick@...]
Sent: Wednesday, December 05, 2007 7:52 PM
To: Pantejo Barbara-XJC864
Cc: pamldap@...
Subject: Re: [pamldap] SLES9 and pam_ldap (LDAP bind instead of search request)

So the user exists but the password is wrong. What happens when you run

$> ldapsearch -H ldap://server -b ou=people,ou=intranet,dc=motorola,dc=com -D motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com -W -v -x motguid=XJC864

Until you get that working, trying it with pam_ldap will be fruitless.

Wade.

On Wed, 5 Dec 2007, BJP wrote:

>
> Ralf,
>
> I changed the /etc/pam.d/sshd file to look like this:
>
>   #%PAM-1.0
>   auth            sufficient      pam_ldap.so
>   auth     required       pam_unix2.so    # set_secrpc
>   auth     required       pam_nologin.so
>   auth     required       pam_env.so
>   #
>   account         sufficient      pam_ldap.so
>   account  required       pam_unix2.so
>   account  required       pam_nologin.so
>   #
>   password        required        pam_ldap.so
>   password required       pam_pwcheck.so
>   password required       pam_unix2.so    use_first_pass use_authtok
>   #
>   session  required       pam_unix2.so    none # trace or debug
>   session  required       pam_limits.so
>
> and removed "pam_filter   objectclass=posixAccount".  Now I am getting
> err=49 (LDAP_INVALID_CREDENTIALS):
>
>   [2007-12-05 15:25:45,562] conn=3635 fd=0 slot=0 connection from
> 145.2.132.126 to 10.0.42.17
>   [2007-12-05 15:25:45,565] conn=3635 op=0 BIND dn="" method=0 version=3
>   [2007-12-05 15:25:45,565] conn=3635 op=0 RESULT err=0 tag=0
> nentries=0 etime=0
>   [2007-12-05 15:25:45,605] conn=3635 op=1 SRCH
> base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2
> filter="(uid=xjc864)"
>   [2007-12-05 15:25:45,658] conn=3635 op=1 RESULT err=0 tag=0
> nentries=1
> etime=52
>   [2007-12-05 15:25:45,698] conn=3635 op=2 BIND
> dn="motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com" method=0
> version=3
>   [2007-12-05 15:25:45,704] conn=3635 op=2 RESULT err=49 tag=0
> nentries=0 etime=0
>   [2007-12-05 15:25:45,744] conn=3635 op=3 BIND dn="" method=0 version=3
>   [2007-12-05 15:25:45,745] conn=3635 op=3 RESULT err=0 tag=0
> nentries=0 etime=0
>
> But I cannot login at all now and have to put back "pam_filter
> objectclass=posixAccount" to be able to login to my SLES9 server.  Can
> you shed any more light on this?  Do you think it has to do with the
> /etc/pam.d/sshd file?
>
> Thanks,
> BJP
>
> --
> View this message in context:
> http://www.nabble.com/SLES9-and-pam_ldap-%28LDAP-bind-instead-of-searc
> h-request%29-tf4899988.html#a14181177
> Sent from the PAM LDAP mailing list archive at Nabble.com.
>
>

After much trial and error, Ralf is correct. pam_ldap on SLES9 SP3 does authentication with LDAP Bind.

Thanks Ralf.

Rgds,
BJP

Ralf Haferkamp wrote:

On Donnerstag, 29. November 2007, BJP wrote:
> How can one authenticate on Suse Linux 9.3 using LDAP bind instead of
> search requests?
>
> The following post in 2004:
>
> http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2004-06/0258.htm
>l
>
> was never replied to online and wondered if anyone has the answer. I am
> challenged with this task as well.

That was probably never answered, because it is pretty bogus :). pam_ldap does
always do authentication by a LDAP Bind. It does never read
the "userPassword" from the LDAP server for authentication.
The problem described in the above post might happen, because nss_ldap (!) is
able to read the "userPassword" hash from the server and the pam_unix or
pam_unix2 (!) takes that hash to verify it against the password typed in by
the user. If you have such a problem you can easily verify it by doing
a "getent passwd <ldapuser>" on your system. If that returns the password
hash amongst its output you should adjust your LDAP server's access controls.

--
Ralf