how to postgres active directory pam_ldap

View: New views

10 Messages — Rating Filter: Alert me

how to postgres active directory pam_ldap

by dstensrud :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hello, I use gentoo linux and am desperately trying to get postgres to
authenticate using pam_ldap against windows 2003 active directory. As
far as I can tell then only thing I needed to change in postgres is in
/var/lib/postgresql/data/pg_hba.conf. I added a config to say: local
all derrick3 pam postgres On the active directory end I added users
and installed microsoft unix tools. here is my /etc/ldap.conf file
which I think pam_ldap uses.

/etc/ldap.conf
#####################
host woolyad.windowco.local

base cn=Users,dc=windowco,dc=local

uri ldap://192.168.4.70/
ldap_version 3

binddn cn=soosuser,dc=windowco,dc=local

bindpw s43jkr3

scope sub

pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

nss_base_passwd cn=Users,dc=windowco,dc=local
nss_base_shadow cn=Users,dc=windowco,dc=local
nss_base_group cn=Users,dc=windowco,dc=local
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group
####################

here is my /etc/nsswitch.conf
#######
passwd: files ldap
group: files ldap

# consult files/dns first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts: files wins dns ldap

# LDAP is nominally authoritative for the following maps.
services: ldap [NOTFOUND=return] files
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files

# no support for netmasks, bootparams, publickey yet.
netmasks: files
bootparams: files
publickey: files
automount: files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases: files
sendmailvars: files

# Note: there is no support for netgroups on Solaris (yet)
netgroup: ldap [NOTFOUND=return] files
########

I can run this ldapsearch command and it returns a specified users info
correctly
#> ldapsearch -x -D "cn=soosuser,cn=Users,dc=windowco,dc=local" -W
"sAMAccountName=derrick3"

BUT, when I try to run this:
#> psql -U derrick3 -d testdb
I get a password prompt and then pam auth error:
#> psql: FATAL: PAM authentication failed for user "bkelly"

#> tail /var/log/syslog
Dec 18 22:55:33 localhost derrick3 testdb [local] authentication:
pam_ldap: error trying to bind (Invalid credentials)

Anyone have any ideas... I'm clueless and in need of help quick! Thanks
in advance.

Re: how to postgres active directory pam_ldap

by Howard Wilkinson :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Derrick,

you have not mentioned any changes to the pam configuration itself. You will need to put an entry for pam_ldap in the PAM stack. This is usually in system-auth in the directory /etc/pam.d on Linux. Alternatively you can change the postgresql file so that only that is affected.

Howard.

Derrick wrote:

Hello, I use gentoo linux and am desperately trying to get postgres to authenticate using pam_ldap against windows 2003 active directory. As far as I can tell then only thing I needed to change in postgres is in /var/lib/postgresql/data/pg_hba.conf. I added a config to say: local all derrick3 pam postgres    On the active directory end I added users and installed microsoft unix tools. here is my /etc/ldap.conf file which I think pam_ldap uses.

/etc/ldap.conf
#####################
host woolyad.windowco.local

base cn=Users,dc=windowco,dc=local

uri ldap://192.168.4.70/
ldap_version 3

binddn cn=soosuser,dc=windowco,dc=local

bindpw s43jkr3

scope sub

pam_login_attribute     sAMAccountName
pam_filter              objectclass=User
pam_password            ad

nss_base_passwd         cn=Users,dc=windowco,dc=local
nss_base_shadow         cn=Users,dc=windowco,dc=local
nss_base_group          cn=Users,dc=windowco,dc=local
nss_map_objectclass     posixAccount    User
nss_map_objectclass     shadowAccount   User
nss_map_attribute       uid             sAMAccountName
nss_map_attribute       uidNumber       msSFU30UidNumber
nss_map_attribute       gidNumber       msSFU30GidNumber
nss_map_attribute       cn              sAMAccountName
nss_map_attribute       uniqueMember    member
nss_map_attribute       userPassword    msSFU30Password
nss_map_attribute       homeDirectory   msSFU30HomeDirectory
nss_map_attribute       loginShell      msSFU30LoginShell
nss_map_attribute       gecos           name
nss_map_objectclass     posixGroup      Group
####################

here is my /etc/nsswitch.conf
#######
passwd:         files ldap
group:          files ldap

# consult files/dns first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts:          files wins dns ldap

# LDAP is nominally authoritative for the following maps.
services:   ldap [NOTFOUND=return] files
networks:   ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files

# no support for netmasks, bootparams, publickey yet.
netmasks:   files
bootparams: files
publickey: files
automount: files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases:    files
sendmailvars:   files

# Note: there is no support for netgroups on Solaris (yet)
netgroup:   ldap [NOTFOUND=return] files
########

I can run this ldapsearch command and it returns a specified users info correctly
#> ldapsearch -x -D "cn=soosuser,cn=Users,dc=windowco,dc=local" -W "sAMAccountName=derrick3"

BUT, when I try to run this:
#> psql -U derrick3 -d testdb
I get a password prompt and then pam auth error:
#> psql: FATAL: PAM authentication failed for user "bkelly"

#> tail /var/log/syslog
Dec 18 22:55:33 localhost derrick3 testdb [local] authentication: pam_ldap: error trying to bind (Invalid credentials)

Anyone have any ideas... I'm clueless and in need of help quick! Thanks in advance.

--
Signature

Howard Wilkinson	Phone:	+44(20)76907075
Coherent Technology Limited	Fax:
23 Northampton Square,	Mobile:	+44(7980)639379
United Kingdom, EC1V 0HL	Email:	howard@...

Re: how to postgres active directory pam_ldap

by dstensrud :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Thanks for the reply Howard.
Sorry I forgot to include that, here is the file I have for that:
/etc/pam.d/postgres
###########
auth required /lib/security/pam_ldap.so debug
account required /lib/security/pam_ldap.so debug
##########

dstensrud wrote:

>
> Hello, I use gentoo linux and am desperately trying to get postgres to
> authenticate using pam_ldap against windows 2003 active directory. As
> far as I can tell then only thing I needed to change in postgres is in
> /var/lib/postgresql/data/pg_hba.conf. I added a config to say: local
> all derrick3 pam postgres On the active directory end I added users
> and installed microsoft unix tools. here is my /etc/ldap.conf file
> which I think pam_ldap uses.
>
> /etc/ldap.conf
> #####################
> host woolyad.windowco.local
>
> base cn=Users,dc=windowco,dc=local
>
> uri ldap://192.168.4.70/
> ldap_version 3
>
> binddn cn=soosuser,dc=windowco,dc=local
>
> bindpw s43jkr3
>
> scope sub
>
> pam_login_attribute sAMAccountName
> pam_filter objectclass=User
> pam_password ad
>
> nss_base_passwd cn=Users,dc=windowco,dc=local
> nss_base_shadow cn=Users,dc=windowco,dc=local
> nss_base_group cn=Users,dc=windowco,dc=local
> nss_map_objectclass posixAccount User
> nss_map_objectclass shadowAccount User
> nss_map_attribute uid sAMAccountName
> nss_map_attribute uidNumber msSFU30UidNumber
> nss_map_attribute gidNumber msSFU30GidNumber
> nss_map_attribute cn sAMAccountName
> nss_map_attribute uniqueMember member
> nss_map_attribute userPassword msSFU30Password
> nss_map_attribute homeDirectory msSFU30HomeDirectory
> nss_map_attribute loginShell msSFU30LoginShell
> nss_map_attribute gecos name
> nss_map_objectclass posixGroup Group
> ####################
>
> here is my /etc/nsswitch.conf
> #######
> passwd: files ldap
> group: files ldap
>
> # consult files/dns first, we will need it to resolve the LDAP host. (If
> we
> # can't resolve it, we're in infinite recursion, because libldap calls
> # gethostbyname(). Careful!)
> hosts: files wins dns ldap
>
> # LDAP is nominally authoritative for the following maps.
> services: ldap [NOTFOUND=return] files
> networks: ldap [NOTFOUND=return] files
> protocols: ldap [NOTFOUND=return] files
> rpc: ldap [NOTFOUND=return] files
> ethers: ldap [NOTFOUND=return] files
>
> # no support for netmasks, bootparams, publickey yet.
> netmasks: files
> bootparams: files
> publickey: files
> automount: files
>
> # I'm pretty sure nsswitch.conf is consulted directly by sendmail,
> # here, so we can't do much here. Instead, use bbense's LDAP
> # rules ofr sendmail.
> aliases: files
> sendmailvars: files
>
> # Note: there is no support for netgroups on Solaris (yet)
> netgroup: ldap [NOTFOUND=return] files
> ########
>
> I can run this ldapsearch command and it returns a specified users info
> correctly
> #> ldapsearch -x -D "cn=soosuser,cn=Users,dc=windowco,dc=local" -W
> "sAMAccountName=derrick3"
>
> BUT, when I try to run this:
> #> psql -U derrick3 -d testdb
> I get a password prompt and then pam auth error:
> #> psql: FATAL: PAM authentication failed for user "bkelly"
>
> #> tail /var/log/syslog
> Dec 18 22:55:33 localhost derrick3 testdb [local] authentication:
> pam_ldap: error trying to bind (Invalid credentials)
>
> Anyone have any ideas... I'm clueless and in need of help quick! Thanks
> in advance.
>
>
>
>
>

--
View this message in context: http://www.nabble.com/how-to-postgres-active-directory-pam_ldap-tf2844422.html#a7947930
Sent from the PAM LDAP mailing list archive at Nabble.com.

Re: how to postgres active directory pam_ldap

by dstensrud :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I forgot to include that, here is the file I have for that:
/etc/pam.d/postgres
###########
auth required /lib/security/pam_ldap.so debug
account required /lib/security/pam_ldap.so debug
##########

Howard Wilkinson wrote:

Derrick,

you have not mentioned any changes to the pam configuration itself. You
will need to put an entry for pam_ldap in the PAM stack. This is usually
in system-auth in the directory /etc/pam.d on Linux. Alternatively you
can change the postgresql file so that only that is affected.

Howard.

Derrick wrote:
> Hello, I use gentoo linux and am desperately trying to get postgres
> to authenticate using pam_ldap against windows 2003 active directory.
> As far as I can tell then only thing I needed to change in postgres is
> in /var/lib/postgresql/data/pg_hba.conf. I added a config to say:
> local all derrick3 pam postgres On the active directory end I added
> users and installed microsoft unix tools. here is my /etc/ldap.conf
> file which I think pam_ldap uses.
>
> /etc/ldap.conf
> #####################
> host woolyad.windowco.local
>
> base cn=Users,dc=windowco,dc=local
>
> uri ldap://192.168.4.70/
> ldap_version 3
>
> binddn cn=soosuser,dc=windowco,dc=local
>
> bindpw s43jkr3
>
> scope sub
>
> pam_login_attribute sAMAccountName
> pam_filter objectclass=User
> pam_password ad
>
> nss_base_passwd cn=Users,dc=windowco,dc=local
> nss_base_shadow cn=Users,dc=windowco,dc=local
> nss_base_group cn=Users,dc=windowco,dc=local
> nss_map_objectclass posixAccount User
> nss_map_objectclass shadowAccount User
> nss_map_attribute uid sAMAccountName
> nss_map_attribute uidNumber msSFU30UidNumber
> nss_map_attribute gidNumber msSFU30GidNumber
> nss_map_attribute cn sAMAccountName
> nss_map_attribute uniqueMember member
> nss_map_attribute userPassword msSFU30Password
> nss_map_attribute homeDirectory msSFU30HomeDirectory
> nss_map_attribute loginShell msSFU30LoginShell
> nss_map_attribute gecos name
> nss_map_objectclass posixGroup Group
> ####################
>
> here is my /etc/nsswitch.conf
> #######
> passwd: files ldap
> group: files ldap
>
> # consult files/dns first, we will need it to resolve the LDAP host.
> (If we
> # can't resolve it, we're in infinite recursion, because libldap calls
> # gethostbyname(). Careful!)
> hosts: files wins dns ldap
>
> # LDAP is nominally authoritative for the following maps.
> services: ldap [NOTFOUND=return] files
> networks: ldap [NOTFOUND=return] files
> protocols: ldap [NOTFOUND=return] files
> rpc: ldap [NOTFOUND=return] files
> ethers: ldap [NOTFOUND=return] files
>
> # no support for netmasks, bootparams, publickey yet.
> netmasks: files
> bootparams: files
> publickey: files
> automount: files
>
> # I'm pretty sure nsswitch.conf is consulted directly by sendmail,
> # here, so we can't do much here. Instead, use bbense's LDAP
> # rules ofr sendmail.
> aliases: files
> sendmailvars: files
>
> # Note: there is no support for netgroups on Solaris (yet)
> netgroup: ldap [NOTFOUND=return] files
> ########
>
> I can run this ldapsearch command and it returns a specified users
> info correctly
> #> ldapsearch -x -D "cn=soosuser,cn=Users,dc=windowco,dc=local" -W
> "sAMAccountName=derrick3"
>
> BUT, when I try to run this:
> #> psql -U derrick3 -d testdb
> I get a password prompt and then pam auth error:
> #> psql: FATAL: PAM authentication failed for user "bkelly"
>
> #> tail /var/log/syslog
> Dec 18 22:55:33 localhost derrick3 testdb [local] authentication:
> pam_ldap: error trying to bind (Invalid credentials)
>
> Anyone have any ideas... I'm clueless and in need of help quick!
> Thanks in advance.
>
>
>

--

Howard Wilkinson

Phone:

+44(20)76907075

Coherent Technology Limited

Fax:

23 Northampton Square,

Mobile:

+44(7980)639379

United Kingdom, EC1V 0HL

Email:

howard@cohtech.com

Re: how to postgres active directory pam_ldap

by dstensrud :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Here is what I am currently getting from postgres, I think I'm beyond the bind problem now. The only error I'm getting is from postgresql and nothing is logging into the syslog when this happens. Error:

LOG: pam_authenticate failed: Conversation error
FATAL: PAM authentication failed for user "bkelly"
LOG: could not send data to client: Broken pipe
LOG: pam_authenticate failed: User not known to the underlying authentication module
FATAL: PAM authentication failed for user "bkelly"

dstensrud wrote:

Hello, I use gentoo linux and am desperately trying to get postgres to
authenticate using pam_ldap against windows 2003 active directory. As
far as I can tell then only thing I needed to change in postgres is in
/var/lib/postgresql/data/pg_hba.conf. I added a config to say: local
all derrick3 pam postgres On the active directory end I added users
and installed microsoft unix tools. here is my /etc/ldap.conf file
which I think pam_ldap uses.

/etc/ldap.conf
#####################
host woolyad.windowco.local

base cn=Users,dc=windowco,dc=local

uri ldap://192.168.4.70/
ldap_version 3

binddn cn=soosuser,dc=windowco,dc=local

bindpw s43jkr3

scope sub

pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

nss_base_passwd cn=Users,dc=windowco,dc=local
nss_base_shadow cn=Users,dc=windowco,dc=local
nss_base_group cn=Users,dc=windowco,dc=local
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group
####################

here is my /etc/nsswitch.conf
#######
passwd: files ldap
group: files ldap

# consult files/dns first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts: files wins dns ldap

# LDAP is nominally authoritative for the following maps.
services: ldap [NOTFOUND=return] files
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files

# no support for netmasks, bootparams, publickey yet.
netmasks: files
bootparams: files
publickey: files
automount: files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases: files
sendmailvars: files

# Note: there is no support for netgroups on Solaris (yet)
netgroup: ldap [NOTFOUND=return] files
########

I can run this ldapsearch command and it returns a specified users info
correctly
#> ldapsearch -x -D "cn=soosuser,cn=Users,dc=windowco,dc=local" -W
"sAMAccountName=derrick3"

BUT, when I try to run this:
#> psql -U derrick3 -d testdb
I get a password prompt and then pam auth error:
#> psql: FATAL: PAM authentication failed for user "bkelly"

#> tail /var/log/syslog
Dec 18 22:55:33 localhost derrick3 testdb [local] authentication:
pam_ldap: error trying to bind (Invalid credentials)

Anyone have any ideas... I'm clueless and in need of help quick! Thanks
in advance.

Re: how to postgres active directory pam_ldap

by Howard Wilkinson :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Derrick, are you sure it should not be "/etc/pam.d/postgresql" that is what the file is called on my systems. Howard.

dstensrud wrote:

Thanks for the reply Howard.
Sorry I forgot to include that, here is the file I have for that:
/etc/pam.d/postgres
###########
auth            required        /lib/security/pam_ldap.so debug
account         required        /lib/security/pam_ldap.so debug
########## 




Howard Wilkinson wrote:

Derrick,

you have not mentioned any changes to the pam configuration itself. You 
will need to put an entry for pam_ldap in the PAM stack. This is usually 
in system-auth in the directory /etc/pam.d on Linux. Alternatively you 
can change the postgresql file so that only that is affected.

Howard.

Derrick wrote:

Hello,  I use gentoo linux and am desperately trying to get postgres 
to authenticate using pam_ldap against windows 2003 active directory.  
As far as I can tell then only thing I needed to change in postgres is 
in /var/lib/postgresql/data/pg_hba.conf.  I added a config to say:  
local all derrick3 pam postgres    On the active directory end I added 
users and installed microsoft unix tools.  here is my /etc/ldap.conf 
file which I think pam_ldap uses.

/etc/ldap.conf
#####################
host woolyad.windowco.local

base cn=Users,dc=windowco,dc=local

uri ldap://192.168.4.70/
ldap_version 3

binddn cn=soosuser,dc=windowco,dc=local

bindpw s43jkr3

scope sub

pam_login_attribute     sAMAccountName
pam_filter              objectclass=User
pam_password            ad

nss_base_passwd         cn=Users,dc=windowco,dc=local
nss_base_shadow         cn=Users,dc=windowco,dc=local
nss_base_group          cn=Users,dc=windowco,dc=local
nss_map_objectclass     posixAccount    User
nss_map_objectclass     shadowAccount   User
nss_map_attribute       uid             sAMAccountName
nss_map_attribute       uidNumber       msSFU30UidNumber
nss_map_attribute       gidNumber       msSFU30GidNumber
nss_map_attribute       cn              sAMAccountName
nss_map_attribute       uniqueMember    member
nss_map_attribute       userPassword    msSFU30Password
nss_map_attribute       homeDirectory   msSFU30HomeDirectory
nss_map_attribute       loginShell      msSFU30LoginShell
nss_map_attribute       gecos           name
nss_map_objectclass     posixGroup      Group
####################

here is my /etc/nsswitch.conf
#######
passwd:         files ldap
group:          files ldap

# consult files/dns first, we will need it to resolve the LDAP host. 
(If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts:          files wins dns ldap

# LDAP is nominally authoritative for the following maps.
services:   ldap [NOTFOUND=return] files
networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files

# no support for netmasks, bootparams, publickey yet.
netmasks:   files
bootparams: files
publickey:  files
automount:  files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases:    files
sendmailvars:   files

# Note: there is no support for netgroups on Solaris (yet)
netgroup:   ldap [NOTFOUND=return] files
########

I can run this ldapsearch command and it returns a specified users 
info correctly
#> ldapsearch -x -D "cn=soosuser,cn=Users,dc=windowco,dc=local" -W 
"sAMAccountName=derrick3"

BUT, when I try to run this:
#> psql -U derrick3 -d testdb
I get a password prompt and then pam auth error:
#> psql: FATAL:  PAM authentication failed for user "bkelly"

#> tail /var/log/syslog
Dec 18 22:55:33 localhost  derrick3 testdb [local] authentication: 
pam_ldap: error trying to bind (Invalid credentials)

Anyone have any ideas... I'm clueless and in need of help quick!  
Thanks in advance.

-- 

Howard Wilkinson

	

Phone:

	

+44(20)76907075

Coherent Technology Limited

	

Fax:

	

 

23 Northampton Square,

	

Mobile:

	

+44(7980)639379

United Kingdom, EC1V 0HL

	

Email:

	

howard@...

--
Signature

Howard Wilkinson	Phone:	+44(20)76907075
Coherent Technology Limited	Fax:
23 Northampton Square,	Mobile:	+44(7980)639379
United Kingdom, EC1V 0HL	Email:	howard@...

Re: how to postgres active directory pam_ldap

by dstensrud :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hey Howard,
In my /var/lib/postgresql/data/pg_hba.conf I have this:
local all bkelly pam postgres

It's my understanding that you can specify the name of the pam file to use right there in the hba.conf. I have however tried to just enter "pam" instead of "pam postgres" and then use /etc/pam.d/postgresql and I still get the same issue.

Howard Wilkinson wrote:

Derrick, are you sure it should not be "/etc/pam.d/postgresql" that is what the file is called on my systems. Howard.

dstensrud wrote:

Thanks for the reply Howard.
Sorry I forgot to include that, here is the file I have for that:
/etc/pam.d/postgres
###########
auth            required        /lib/security/pam_ldap.so debug
account         required        /lib/security/pam_ldap.so debug
########## 




Howard Wilkinson wrote:

Derrick,

you have not mentioned any changes to the pam configuration itself. You 
will need to put an entry for pam_ldap in the PAM stack. This is usually 
in system-auth in the directory /etc/pam.d on Linux. Alternatively you 
can change the postgresql file so that only that is affected.

Howard.

Derrick wrote:

Hello,  I use gentoo linux and am desperately trying to get postgres 
to authenticate using pam_ldap against windows 2003 active directory.  
As far as I can tell then only thing I needed to change in postgres is 
in /var/lib/postgresql/data/pg_hba.conf.  I added a config to say:  
local all derrick3 pam postgres    On the active directory end I added 
users and installed microsoft unix tools.  here is my /etc/ldap.conf 
file which I think pam_ldap uses.

/etc/ldap.conf
#####################
host woolyad.windowco.local

base cn=Users,dc=windowco,dc=local

uri ldap://192.168.4.70/
ldap_version 3

binddn cn=soosuser,dc=windowco,dc=local

bindpw s43jkr3

scope sub

pam_login_attribute     sAMAccountName
pam_filter              objectclass=User
pam_password            ad

nss_base_passwd         cn=Users,dc=windowco,dc=local
nss_base_shadow         cn=Users,dc=windowco,dc=local
nss_base_group          cn=Users,dc=windowco,dc=local
nss_map_objectclass     posixAccount    User
nss_map_objectclass     shadowAccount   User
nss_map_attribute       uid             sAMAccountName
nss_map_attribute       uidNumber       msSFU30UidNumber
nss_map_attribute       gidNumber       msSFU30GidNumber
nss_map_attribute       cn              sAMAccountName
nss_map_attribute       uniqueMember    member
nss_map_attribute       userPassword    msSFU30Password
nss_map_attribute       homeDirectory   msSFU30HomeDirectory
nss_map_attribute       loginShell      msSFU30LoginShell
nss_map_attribute       gecos           name
nss_map_objectclass     posixGroup      Group
####################

here is my /etc/nsswitch.conf
#######
passwd:         files ldap
group:          files ldap

# consult files/dns first, we will need it to resolve the LDAP host. 
(If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts:          files wins dns ldap

# LDAP is nominally authoritative for the following maps.
services:   ldap [NOTFOUND=return] files
networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files

# no support for netmasks, bootparams, publickey yet.
netmasks:   files
bootparams: files
publickey:  files
automount:  files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases:    files
sendmailvars:   files

# Note: there is no support for netgroups on Solaris (yet)
netgroup:   ldap [NOTFOUND=return] files
########

I can run this ldapsearch command and it returns a specified users 
info correctly
#> ldapsearch -x -D "cn=soosuser,cn=Users,dc=windowco,dc=local" -W 
"sAMAccountName=derrick3"

BUT, when I try to run this:
#> psql -U derrick3 -d testdb
I get a password prompt and then pam auth error:
#> psql: FATAL:  PAM authentication failed for user "bkelly"

#> tail /var/log/syslog
Dec 18 22:55:33 localhost  derrick3 testdb [local] authentication: 
pam_ldap: error trying to bind (Invalid credentials)

Anyone have any ideas... I'm clueless and in need of help quick!  
Thanks in advance.

-- 

Howard Wilkinson

	

Phone:

	

+44(20)76907075

Coherent Technology Limited

	

Fax:

	

 

23 Northampton Square,

	

Mobile:

	

+44(7980)639379

United Kingdom, EC1V 0HL

	

Email:

	

howard@...

--
Signature

Howard Wilkinson	Phone:	+44(20)76907075
Coherent Technology Limited	Fax:
23 Northampton Square,	Mobile:	+44(7980)639379
United Kingdom, EC1V 0HL	Email:	howard@...

Re: how to postgres active directory pam_ldap

by Alex Samad :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Tue, Dec 19, 2006 at 07:05:15AM -0800, dstensrud wrote:

>
> Here is what I am currently getting from postgres, I think I'm beyond the
> bind problem now. The only error I'm getting is from postgresql and nothing
> is logging into the syslog when this happens. Error:
>
> LOG: pam_authenticate failed: Conversation error
> FATAL: PAM authentication failed for user "bkelly"
> LOG: could not send data to client: Broken pipe
> LOG: pam_authenticate failed: User not known to the underlying
> authentication module
> FATAL: PAM authentication failed for user "bkelly"
>

I know you tried a ldapsearch to test if it was working, but why not try

something like getent passwd - this should show you what the system's see's I
think, or even better allow bkelly to login and try login in with bkelly. this
will atleast tell you if the pam stuff is working

>
>
> dstensrud wrote:
> >
> > Hello, I use gentoo linux and am desperately trying to get postgres to
> > authenticate using pam_ldap against windows 2003 active directory. As
> > far as I can tell then only thing I needed to change in postgres is in
> > /var/lib/postgresql/data/pg_hba.conf. I added a config to say: local
> > all derrick3 pam postgres On the active directory end I added users
> > and installed microsoft unix tools. here is my /etc/ldap.conf file
> > which I think pam_ldap uses.
> >
> > /etc/ldap.conf
> > #####################
> > host woolyad.windowco.local
> >
> > base cn=Users,dc=windowco,dc=local
> >
> > uri ldap://192.168.4.70/
> > ldap_version 3
> >
> > binddn cn=soosuser,dc=windowco,dc=local
> >
> > bindpw s43jkr3
> >
> > scope sub
> >
> > pam_login_attribute sAMAccountName
> > pam_filter objectclass=User
> > pam_password ad
> >
> > nss_base_passwd cn=Users,dc=windowco,dc=local
> > nss_base_shadow cn=Users,dc=windowco,dc=local
> > nss_base_group cn=Users,dc=windowco,dc=local
> > nss_map_objectclass posixAccount User
> > nss_map_objectclass shadowAccount User
> > nss_map_attribute uid sAMAccountName
> > nss_map_attribute uidNumber msSFU30UidNumber
> > nss_map_attribute gidNumber msSFU30GidNumber
> > nss_map_attribute cn sAMAccountName
> > nss_map_attribute uniqueMember member
> > nss_map_attribute userPassword msSFU30Password
> > nss_map_attribute homeDirectory msSFU30HomeDirectory
> > nss_map_attribute loginShell msSFU30LoginShell
> > nss_map_attribute gecos name
> > nss_map_objectclass posixGroup Group
> > ####################
> >
> > here is my /etc/nsswitch.conf
> > #######
> > passwd: files ldap
> > group: files ldap
> >
> > # consult files/dns first, we will need it to resolve the LDAP host. (If
> > we
> > # can't resolve it, we're in infinite recursion, because libldap calls
> > # gethostbyname(). Careful!)
> > hosts: files wins dns ldap
> >
> > # LDAP is nominally authoritative for the following maps.
> > services: ldap [NOTFOUND=return] files
> > networks: ldap [NOTFOUND=return] files
> > protocols: ldap [NOTFOUND=return] files
> > rpc: ldap [NOTFOUND=return] files
> > ethers: ldap [NOTFOUND=return] files
> >
> > # no support for netmasks, bootparams, publickey yet.
> > netmasks: files
> > bootparams: files
> > publickey: files
> > automount: files
> >
> > # I'm pretty sure nsswitch.conf is consulted directly by sendmail,
> > # here, so we can't do much here. Instead, use bbense's LDAP
> > # rules ofr sendmail.
> > aliases: files
> > sendmailvars: files
> >
> > # Note: there is no support for netgroups on Solaris (yet)
> > netgroup: ldap [NOTFOUND=return] files
> > ########
> >
> > I can run this ldapsearch command and it returns a specified users info
> > correctly
> > #> ldapsearch -x -D "cn=soosuser,cn=Users,dc=windowco,dc=local" -W
> > "sAMAccountName=derrick3"
> >
> > BUT, when I try to run this:
> > #> psql -U derrick3 -d testdb
> > I get a password prompt and then pam auth error:
> > #> psql: FATAL: PAM authentication failed for user "bkelly"
> >
> > #> tail /var/log/syslog
> > Dec 18 22:55:33 localhost derrick3 testdb [local] authentication:
> > pam_ldap: error trying to bind (Invalid credentials)
> >
> > Anyone have any ideas... I'm clueless and in need of help quick! Thanks
> > in advance.
> >
> >
> >
> >
> >
>
> --
> View this message in context: http://www.nabble.com/how-to-postgres-active-directory-pam_ldap-tf2844422.html#a7948586
> Sent from the PAM LDAP mailing list archive at Nabble.com.
>
>

signature.asc (196 bytes) Download Attachment

Re: mailing list subscription settings

by Brendan Simon :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi,

How do I change the majordomo subscription settings.
I want do either get a daily digest, or set it to "no email" so I can
read messages via an News gateway (gmane).

This is very easy to do with Mailman as it has a web interface to
control the settings. Is there such an interface for Majordomo ???

Thanks,
Brendan.

Re: how to postgres active directory pam_ldap

by dstensrud :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I have given up on this and installed postgres 8.2 which has built in ldap support. And the best part is after installing it, it worked against the AD right out of the box.

dstensrud wrote:

Hello, I use gentoo linux and am desperately trying to get postgres to
authenticate using pam_ldap against windows 2003 active directory. As
far as I can tell then only thing I needed to change in postgres is in
/var/lib/postgresql/data/pg_hba.conf. I added a config to say: local
all derrick3 pam postgres On the active directory end I added users
and installed microsoft unix tools. here is my /etc/ldap.conf file
which I think pam_ldap uses.

/etc/ldap.conf
#####################
host woolyad.windowco.local

base cn=Users,dc=windowco,dc=local

uri ldap://192.168.4.70/
ldap_version 3

binddn cn=soosuser,dc=windowco,dc=local

bindpw s43jkr3

scope sub

pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

nss_base_passwd cn=Users,dc=windowco,dc=local
nss_base_shadow cn=Users,dc=windowco,dc=local
nss_base_group cn=Users,dc=windowco,dc=local
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group
####################

here is my /etc/nsswitch.conf
#######
passwd: files ldap
group: files ldap

# consult files/dns first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts: files wins dns ldap

# LDAP is nominally authoritative for the following maps.
services: ldap [NOTFOUND=return] files
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files

# no support for netmasks, bootparams, publickey yet.
netmasks: files
bootparams: files
publickey: files
automount: files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases: files
sendmailvars: files

# Note: there is no support for netgroups on Solaris (yet)
netgroup: ldap [NOTFOUND=return] files
########

I can run this ldapsearch command and it returns a specified users info
correctly
#> ldapsearch -x -D "cn=soosuser,cn=Users,dc=windowco,dc=local" -W
"sAMAccountName=derrick3"

BUT, when I try to run this:
#> psql -U derrick3 -d testdb
I get a password prompt and then pam auth error:
#> psql: FATAL: PAM authentication failed for user "bkelly"

#> tail /var/log/syslog
Dec 18 22:55:33 localhost derrick3 testdb [local] authentication:
pam_ldap: error trying to bind (Invalid credentials)

Anyone have any ideas... I'm clueless and in need of help quick! Thanks
in advance.

LightInTheBox - Buy quality products at wholesale price