root user and unwanted failing ldap requests

Morning...

Am hoping someone can help me with this problem. I've got pam_ldap working fine (debian etch, all from apt repos). I can auth, change passwords, sudo works. I can even log in as root when slapd is unreachable. My only issue is when I try and log in as root over SSH I get the following:

Dec  5 12:38:30 core sshd[20812]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Dec  5 12:39:07 core sshd[20812]: pam_ldap: ldap_simple_bind Can't contact LDAP server

and

Dec  4 19:51:49 core sshd[19493]: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example - Can't contact LDAP server
Dec  4 19:51:49 core sshd[19493]: nss_ldap: failed to bind to LDAP server ldaps://ldap.xxxxxx.com/: Can't contact LDAP server

it works perfectly for any user.

I've got the following:

root@core:~# egrep -v "^(#.*)?$" /etc/pam_ldap.conf
base dc=example
uri ldaps://ldap.xxxxxx.com/
ldap_version 3
rootbinddn cn=admin,dc=example
nss_initgroups_ignoreusers root

root@core:~# egrep -v "^(#.*)?$" /etc/libnss-ldap.conf
base dc=example
uri ldaps://ldap.xxxxxx.com/
ldap_version 3
rootbinddn cn=admin,dc=example
pam_min_uid 2000
pam_password exop
nss_base_passwd ou=People,dc=example?one?|(host=\*)(host=dc1)
ssl on
tls_cacertfile /etc/ssl/ca.cert
nss_initgroups_ignoreusers root

Any pointers would be wonderful, thanks!

--
Ben Hughes

Benji H skrev, on 05-12-2007 15:25:

> Am hoping someone can help me with this problem. I've got pam_ldap working
> fine (debian etch, all from apt repos). I can auth, change passwords, sudo
> works. I can even log in as root when slapd is unreachable. My only issue is
> when I try and log in as root over SSH I get the following:
>
> Dec  5 12:38:30 core sshd[20812]: pam_ldap: ldap_simple_bind Can't contact
> LDAP server
> Dec  5 12:39:07 core sshd[20812]: pam_ldap: ldap_simple_bind Can't contact
> LDAP server

[...]

> it works perfectly for any user.

What's that supposed to mean? What "works perfectly for any user"?

> Any pointers would be wonderful, thanks!

I don't know Debian or its defaults, but as a (very security minded) Red
Hat person I'd be looking at /etc/ssh/sshd_config and PermitRootLogin.
After that, look at AllowUser, otherwise it's going to cost your site
"bacon fat" (as Norwegians say).

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

On Wed, Dec 05, 2007 at 06:09:35PM +0100, Tony Earnshaw wrote:

> >it works perfectly for any user.
>
> What's that supposed to mean? What "works perfectly for any user"?

As in, I can log in as a user that's specified in LDAP.

> I don't know Debian or its defaults, but as a (very security
> minded) Red Hat person I'd be looking at /etc/ssh/sshd_config and
> PermitRootLogin.  After that, look at AllowUser, otherwise it's
> going to cost your site "bacon fat" (as Norwegians say).

I can log in as root, that's not the problem. It's just it's trying to
bind to the LDAP server, which fails.

root is, for a number of reasons, obviously not in LDAP, so it's using the
local database. Which is ideal, I just don't want my logs filled with
"pam_ldap: ldap_simple_bind Can't contact LDAP server" when root tries to
log in.

--
ben