Software
 » 
LDAP
 » 
PADL Lists
 » 
PAM LDAP

pam_ldap authentication not working with Acitve Directory

View: New views
4 Messages — Rating Filter:   Alert me  

pam_ldap authentication not working with Acitve Directory

by Rob A :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi All,
 
Having a major headache with openldap and the pam_ldap libraries that I
am hoping someone can assist.
 
I am using openldap 2.3.27 and the padl libraries ( nss_ldap and
pam_ldap ) on a Solaris 9 server (acting as a client only ) to authenticate to Windows 2003 AD Server.
 
I have compilied the software with the following :
 
OpenLDAP 2.3.27 :
./configure --disable-slapd --disable-slurpd --with-tls --without-cyrus-sasl --enable-syslog --sysconfdir=/etc --localstatedir=/var
 
Padl PAM_LDAP 1.82 :
./configure --sysconfdir=/etc --localstatedir=/var --with-ldap-lib=openldap --with-ldap-dir=/usr/local/lib --with-ldap-secret-file=/etc/ldap.secret
( RENAMED ORIGINAL pam_ldap.so.1 TO pam_ldap.so.1.original )
 
Padl NSS_LDAP 2.53:
./configure --enable-schema-mapping --enable-rfc2307bis --sysconfdir=/etc --localstatedir=/var --enable-debugging --with-ldap-lib=openldap --with-ldap-secret-file=/etc/ldap.secret
 

/etc/openldap/ldap.conf :
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
URI     ldap://dc1.igi-dev.ig.local
BASE    ou=IG Users,dc=igi-dev,dc=ig,dc=local
TIMELIMIT       30
 

/etc/ldap.conf :
host dc1.igi-dev.ig.local
#uri ldap://dc1.igi-dev.ig.local
base dc=igi-dev,dc=ig,dc=local
ldap_version 3
scope sub
binddn cn=ldapuser,ou=Application Accounts,ou=IG-DEV
Resources,dc=igi-dev,dc=ig,dc=local
bindpw <PASSWORD REMOVED FOR NEWSGROUP>
rootbinddn cn=ldapuser,ou=Application Accounts,ou=IG-DEV
Resources,dc=igi-dev,dc=ig,dc=local
# The port.
# Optional: default is 389. SSL LDAP Port 636
port 389
# RFC2307bis naming contexts
nss_base_passwd OU=IG Users,DC=igi-dev,DC=ig,DC=local
nss_base_shadow OU=IG Users,DC=igi-dev,DC=ig,DC=local
nss_base_group OU=UNIX-Groups,OU=UNIX-OU,DC=igi-dev,DC=ig,DC=local
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
nss_map_attribute memberUid msSFU30MemberUid
# PAM_LDAP options
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
logdir /var/ldap
debug 1
ssl no
timelimit 30
bind_timelimit 30
 

/etc/nsswitch.conf :
passwd:     files ldap
group:      files ldap
 
All is ok with the AD lookups :
root@... # getent passwd ldapfour
ldapfour:*:15105:10000:test ldapfour:/home/ldapfour:/bin/sh
root@... # grep ldapfour /etc/passwd
root@... #
 
But no matter what I've tried I can not get pam to authenticate a user.
 
My /etc/pam.conf looks like this ( I've taken out the other entries ) :
sshd    auth sufficient         pam_ldap.so.1 try_first_pass debug
sshd    auth sufficient         pam_unix.so.1
sshd    account sufficient      pam_ldap.so.1
sshd    account required        pam_unix_account.so.1
 
SSH has been compiled for pam. I've tried telnet too but same result.
 
Interestingly using telnet I get the following debug output :
 
wait4msg continue ld 30ea8 msgid 4 all 0
** ld 30ea8 Connections:
* host: dc1.igi-dev.ig.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 11 08:35:08 2007
** ld 30ea8 Outstanding Requests:
 * msgid 4,  origid 4, status InProgress
   outstanding referrals 0, parent count 0
** ld 30ea8 Response Queue:
   Empty
ldap_chkResponseList ld 30ea8 msgid 4 all 0
 
Even a snoop on the LDAP traffic between the solaris server and AD
server shows it LDAP is working :
 
LDAP:  ----- Lightweight Directory Access Protocol Header -----
LDAP:    *[LDAPMessage]
LDAP:       [Message ID]
LDAP:      Operation *[APPL 0: Bind Request]
LDAP:          [Version]
LDAP:          [Object Name]
LDAP:              cn=ldapuser,ou=Application Accou
LDAP:              nts,ou=IG-DEV Resources,dc=igi-d
LDAP:              ev,dc=ig,dc=local
LDAP:         Authentication: Simple  [0]
LDAP:              <PASSWORD OMITTED FOR NEWSGROUP POST>
LDAP:
LDAP:  ----- Lightweight Directory Access Protocol Header -----
LDAP:    *[LDAPMessage]
LDAP:       [Message ID]
LDAP:      Operation *[APPL 1: Bind Response]
LDAP:          [Result Code]
LDAP:           Success
LDAP:          [Matched DN]
 
All I get is the message "Login Incorrect" when I try to ssh or telnet to
solaris server
 
Anyone have any ideas how to get PAM to co-operate ?
 
Thanks,
Rob.

Send instant messages to your online friends http://au.messenger.yahoo.com


Parent Message unknown RE: pam_ldap authentication not working with Acitve Directory

by Denis Melnikov :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Rob,

Try to get debug from PAM: create /etc/pam_debug with one line:
+--------------------+
| debug_flags=0x803F | (to reduce output try 0x8037)
+--------------------+

Denis



Re: pam_ldap authentication not working with Acitve Directory

by dstensrud :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Some parts of this message have been removed. Learn more about Nabble's security policy.
I had to change these lines to get them to work in my environment... here are the lines I changed...
also, because pam_unix is finding the different accounts on the machine there is no need to have ldap in your nss_switch.conf.

nss_base_passwd DC=igi-dev,DC=ig,DC=local
nss_base_shadow DC=igi-dev,DC=ig,DC=local
nss_base_group DC=igi-dev,DC=ig,DC=local
Derrick Stensrud

Rob A wrote:
Hi All,
 
Having a major headache with openldap and the pam_ldap libraries that I
am hoping someone can assist.
 
I am using openldap 2.3.27 and the padl libraries ( nss_ldap and
pam_ldap ) on a Solaris 9 server (acting as a client only ) to authenticate to Windows 2003 AD Server.
 
I have compilied the software with the following :
 
OpenLDAP 2.3.27 :
./configure --disable-slapd --disable-slurpd --with-tls --without-cyrus-sasl --enable-syslog --sysconfdir=/etc --localstatedir=/var
 
Padl PAM_LDAP 1.82 :
./configure --sysconfdir=/etc --localstatedir=/var --with-ldap-lib=openldap --with-ldap-dir=/usr/local/lib --with-ldap-secret-file=/etc/ldap.secret
( RENAMED ORIGINAL pam_ldap.so.1 TO pam_ldap.so.1.original )
 
Padl NSS_LDAP 2.53:
./configure --enable-schema-mapping --enable-rfc2307bis --sysconfdir=/etc --localstatedir=/var --enable-debugging --with-ldap-lib=openldap --with-ldap-secret-file=/etc/ldap.secret
 

/etc/openldap/ldap.conf :
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
URI     ldap://dc1.igi-dev.ig.local
BASE    ou=IG Users,dc=igi-dev,dc=ig,dc=local
TIMELIMIT       30
 

/etc/ldap.conf :
host dc1.igi-dev.ig.local
#uri ldap://dc1.igi-dev.ig.local
base dc=igi-dev,dc=ig,dc=local
ldap_version 3
scope sub
binddn cn=ldapuser,ou=Application Accounts,ou=IG-DEV
Resources,dc=igi-dev,dc=ig,dc=local
bindpw <PASSWORD REMOVED FOR NEWSGROUP>
rootbinddn cn=ldapuser,ou=Application Accounts,ou=IG-DEV
Resources,dc=igi-dev,dc=ig,dc=local
# The port.
# Optional: default is 389. SSL LDAP Port 636
port 389
# RFC2307bis naming contexts
nss_base_passwd OU=IG Users,DC=igi-dev,DC=ig,DC=local
nss_base_shadow OU=IG Users,DC=igi-dev,DC=ig,DC=local
nss_base_group OU=UNIX-Groups,OU=UNIX-OU,DC=igi-dev,DC=ig,DC=local
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
nss_map_attribute memberUid msSFU30MemberUid
# PAM_LDAP options
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
logdir /var/ldap
debug 1
ssl no
timelimit 30
bind_timelimit 30
 

/etc/nsswitch.conf :
passwd:     files ldap
group:      files ldap
 
All is ok with the AD lookups :
root@... # getent passwd ldapfour
ldapfour:*:15105:10000:test ldapfour:/home/ldapfour:/bin/sh
root@... # grep ldapfour /etc/passwd
root@... #
 
But no matter what I've tried I can not get pam to authenticate a user.
 
My /etc/pam.conf looks like this ( I've taken out the other entries ) :
sshd    auth sufficient         pam_ldap.so.1 try_first_pass debug
sshd    auth sufficient         pam_unix.so.1
sshd    account sufficient      pam_ldap.so.1
sshd    account required        pam_unix_account.so.1
 
SSH has been compiled for pam. I've tried telnet too but same result.
 
Interestingly using telnet I get the following debug output :
 
wait4msg continue ld 30ea8 msgid 4 all 0
** ld 30ea8 Connections:
* host: dc1.igi-dev.ig.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 11 08:35:08 2007
** ld 30ea8 Outstanding Requests:
 * msgid 4,  origid 4, status InProgress
   outstanding referrals 0, parent count 0
** ld 30ea8 Response Queue:
   Empty
ldap_chkResponseList ld 30ea8 msgid 4 all 0
 
Even a snoop on the LDAP traffic between the solaris server and AD
server shows it LDAP is working :
 
LDAP:  ----- Lightweight Directory Access Protocol Header -----
LDAP:    *[LDAPMessage]
LDAP:       [Message ID]
LDAP:      Operation *[APPL 0: Bind Request]
LDAP:          [Version]
LDAP:          [Object Name]
LDAP:              cn=ldapuser,ou=Application Accou
LDAP:              nts,ou=IG-DEV Resources,dc=igi-d
LDAP:              ev,dc=ig,dc=local
LDAP:         Authentication: Simple  [0]
LDAP:              <PASSWORD OMITTED FOR NEWSGROUP POST>
LDAP:
LDAP:  ----- Lightweight Directory Access Protocol Header -----
LDAP:    *[LDAPMessage]
LDAP:       [Message ID]
LDAP:      Operation *[APPL 1: Bind Response]
LDAP:          [Result Code]
LDAP:           Success
LDAP:          [Matched DN]
 
All I get is the message "Login Incorrect" when I try to ssh or telnet to
solaris server
 
Anyone have any ideas how to get PAM to co-operate ?
 
Thanks,
Rob.

Send instant messages to your online friends http://au.messenger.yahoo.com


RE: pam_ldap authentication not working with Acitve Directory

by Rob A :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi Dennis,

I had a missing nss_map which meant the password wasn't being presented to PAM.

The password that was being seen was the AD bind password to enable LDAP lookups.

My complete NSS mappings are :

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute userPassword msSFU30Password
nss_map_attribute cn sAMAccountName
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute shadowLastChange pwdLastSet

Now to get ssl working ...

Rob.

Denis Melnikov <dmelnik@...> wrote:
Rob,

Try to get debug from PAM: create /etc/pam_debug with one line:
+--------------------+
| debug_flags=0x803F | (to reduce output try 0x8037)
+--------------------+

Denis



Send instant messages to your online friends http://au.messenger.yahoo.com

Free Forum Powered by Nabble Forum Help