|
»
»
»
« Return to Thread: pam_ldap authentication not working with Acitve Directory
pam_ldap authentication not working with Acitve Directory
by Rob A
::
Rate this Message:
Hi All,
Having a major headache with openldap and the pam_ldap libraries that I
am hoping someone can assist.
am hoping someone can assist.
I am using openldap 2.3.27 and the padl libraries ( nss_ldap and
pam_ldap ) on a Solaris 9 server (acting as a client only ) to authenticate to Windows 2003 AD Server.
pam_ldap ) on a Solaris 9 server (acting as a client only ) to authenticate to Windows 2003 AD Server.
I have compilied the software with the following :
OpenLDAP 2.3.27 :
./configure --disable-slapd --disable-slurpd --with-tls --without-cyrus-sasl --enable-syslog --sysconfdir=/etc --localstatedir=/var
./configure --disable-slapd --disable-slurpd --with-tls --without-cyrus-sasl --enable-syslog --sysconfdir=/etc --localstatedir=/var
Padl PAM_LDAP 1.82 :
./configure --sysconfdir=/etc --localstatedir=/var --with-ldap-lib=openldap --with-ldap-dir=/usr/local/lib --with-ldap-secret-file=/etc/ldap.secret
( RENAMED ORIGINAL pam_ldap.so.1 TO pam_ldap.so.1.original )
./configure --sysconfdir=/etc --localstatedir=/var --with-ldap-lib=openldap --with-ldap-dir=/usr/local/lib --with-ldap-secret-file=/etc/ldap.secret
( RENAMED ORIGINAL pam_ldap.so.1 TO pam_ldap.so.1.original )
Padl NSS_LDAP 2.53:
./configure --enable-schema-mapping --enable-rfc2307bis --sysconfdir=/etc --localstatedir=/var --enable-debugging --with-ldap-lib=openldap --with-ldap-secret-file=/etc/ldap.secret
./configure --enable-schema-mapping --enable-rfc2307bis --sysconfdir=/etc --localstatedir=/var --enable-debugging --with-ldap-lib=openldap --with-ldap-secret-file=/etc/ldap.secret
/etc/openldap/ldap.conf :
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
base dc=igi-dev,dc=ig,dc=local
ldap_version 3
scope sub
binddn cn=ldapuser,ou=Application Accounts,ou=IG-DEV
Resources,dc=igi-dev,dc=ig,dc=local
bindpw <PASSWORD REMOVED FOR NEWSGROUP>
rootbinddn cn=ldapuser,ou=Application Accounts,ou=IG-DEV
Resources,dc=igi-dev,dc=ig,dc=local
Resources,dc=igi-dev,dc=ig,dc=local
bindpw <PASSWORD REMOVED FOR NEWSGROUP>
rootbinddn cn=ldapuser,ou=Application Accounts,ou=IG-DEV
Resources,dc=igi-dev,dc=ig,dc=local
# The port.
# Optional: default is 389. SSL LDAP Port 636
port 389
# Optional: default is 389. SSL LDAP Port 636
port 389
# RFC2307bis naming contexts
nss_base_passwd OU=IG Users,DC=igi-dev,DC=ig,DC=local
nss_base_shadow OU=IG Users,DC=igi-dev,DC=ig,DC=local
nss_base_group OU=UNIX-Groups,OU=UNIX-OU,DC=igi-dev,DC=ig,DC=local
nss_base_passwd OU=IG Users,DC=igi-dev,DC=ig,DC=local
nss_base_shadow OU=IG Users,DC=igi-dev,DC=ig,DC=local
nss_base_group OU=UNIX-Groups,OU=UNIX-OU,DC=igi-dev,DC=ig,DC=local
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
nss_map_attribute memberUid msSFU30MemberUid
nss_map_attribute uniqueMember member
nss_map_attribute memberUid msSFU30MemberUid
# PAM_LDAP options
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
logdir /var/ldap
debug 1
ssl no
debug 1
ssl no
timelimit 30
bind_timelimit 30
bind_timelimit 30
/etc/nsswitch.conf :
passwd: files ldap
group: files ldap
All is ok with the AD lookups :
root@... # getent passwd ldapfour
ldapfour:*:15105:10000:test ldapfour:/home/ldapfour:/bin/sh
root@... # grep ldapfour /etc/passwd
root@... #
ldapfour:*:15105:10000:test ldapfour:/home/ldapfour:/bin/sh
root@... # grep ldapfour /etc/passwd
root@... #
But no matter what I've tried I can not get pam to authenticate a user.
My /etc/pam.conf looks like this ( I've taken
out the other entries ) :
sshd auth sufficient pam_ldap.so.1 try_first_pass debug
sshd auth sufficient pam_unix.so.1
sshd account sufficient pam_ldap.so.1
sshd account required pam_unix_account.so.1
sshd auth sufficient pam_unix.so.1
sshd account sufficient pam_ldap.so.1
sshd account required pam_unix_account.so.1
SSH has been compiled for pam. I've tried telnet too but same result.
Interestingly using telnet I get the following debug output :
wait4msg continue ld 30ea8 msgid 4 all 0
** ld 30ea8 Connections:
* host: dc1.igi-dev.ig.local port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 11 08:35:08 2007
** ld 30ea8 Connections:
* host: dc1.igi-dev.ig.local port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 11 08:35:08 2007
** ld 30ea8 Outstanding Requests:
* msgid 4, origid 4, status InProgress
outstanding referrals 0, parent count 0
** ld 30ea8 Response Queue:
Empty
ldap_chkResponseList ld 30ea8 msgid 4 all 0
* msgid 4, origid 4, status InProgress
outstanding referrals 0, parent count 0
** ld 30ea8 Response Queue:
Empty
ldap_chkResponseList ld 30ea8 msgid 4 all 0
Even a snoop on the LDAP traffic between the solaris server and AD
server shows it LDAP is working :
server shows it LDAP is working :
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: cn=ldapuser,ou=Application Accou
LDAP: nts,ou=IG-DEV Resources,dc=igi-d
LDAP: ev,dc=ig,dc=local
LDAP: Authentication: Simple [0]
LDAP: <PASSWORD OMITTED FOR NEWSGROUP POST>
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: Success
LDAP: [Matched DN]
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: cn=ldapuser,ou=Application Accou
LDAP: nts,ou=IG-DEV Resources,dc=igi-d
LDAP: ev,dc=ig,dc=local
LDAP: Authentication: Simple [0]
LDAP: <PASSWORD OMITTED FOR NEWSGROUP POST>
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: Success
LDAP: [Matched DN]
All I get is the message "Login Incorrect" when I try to ssh or telnet to
solaris server
solaris server
Anyone have any ideas how to get PAM to co-operate ?
Thanks,
Rob.
Send instant messages to your online friends http://au.messenger.yahoo.com
« Return to Thread: pam_ldap authentication not working with Acitve Directory
| Free Forum Powered by Nabble | Forum Help |