# openldap centralized user login authentication

## mikkele

I'm trying hard to get login to work using an openldap server for centralized authentication. I looked through all posts in the forums that show up with the search term "openldap". I also did a lot of googling - no luck so far.

I mangaged to get the slapd server running and I can also search using ldapsearch. 

Program versions:

pam_ldap-156

openldap-2.1.30-r1

I'm really lost here.

Could someone please post their working config files or tell me what might be wrong with mine?

Mikkel.

```
ldapsearch -D "uid=mwe,ou=People,dc=erup,dc=damnkewl,dc=net" -W

Enter LDAP Password:

# extended LDIF

#

# LDAPv3

# base <> with scope sub

# filter: (objectclass=*)

# requesting: ALL

#

# Hosts, erup.damnkewl.net

dn: ou=Hosts,dc=erup,dc=damnkewl,dc=net

ou: Hosts

objectClass: top

objectClass: organizationalUnit

...

# People, erup.damnkewl.net

dn: ou=People,dc=erup,dc=damnkewl,dc=net

ou: People

objectClass: top

objectClass: organizationalUnit

objectClass: domainRelatedObject

associatedDomain: erup.damnkewl.net

# Group, erup.damnkewl.net

dn: ou=Group,dc=erup,dc=damnkewl,dc=net

ou: Group

objectClass: top

objectClass: organizationalUnit

objectClass: domainRelatedObject

associatedDomain: erup.damnkewl.net

# Netgroup, erup.damnkewl.net

dn: ou=Netgroup,dc=erup,dc=damnkewl,dc=net

ou: Netgroup

objectClass: top

objectClass: organizationalUnit

objectClass: domainRelatedObject

associatedDomain: erup.damnkewl.net

# mwe, People, erup.damnkewl.net

dn: uid=mwe,ou=People,dc=erup,dc=damnkewl,dc=net

uid: mwe

cn: mwe

sn: mwe

mail: mwe@erup.damnkewl.net

mailRoutingAddress: mwe@erup.damnkewl.net

objectClass: inetLocalMailRecipient

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: kerberosSecurityObject

objectClass: shadowAccount

userPassword:: <MY MD5 ENCRYPTED PASSWORD>

shadowLastChange: 12452

shadowMax: 99999

shadowWarning: 7

krbName: mwe@ERUP.DAMNKEWL.NET

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 100

homeDirectory: /home/mwe

# search result

search: 2

result: 0 Success

# numResponses: 18

# numEntries: 17

```

When I try to log in from the terminal I get:

(Note that I temporarely disabled use_first_pass for debugging)

```
thor login: mwe

Password: <correct LDAP password entered>

LDAP Password: <correct LDAP password entered again>

Login incorrect

```

My config files:

```
# cat /etc/pam.d/system-auth |sed -e '/^#/d' -e '/^$/d'

auth sufficient /lib/security/pam_unix.so likeauth nullok shadow

auth sufficient /lib/security/pam_ldap.so

auth required /lib/security/pam_deny.so

account sufficient /lib/security/pam_unix.so

account sufficient /lib/security/pam_ldap.so

account required /lib/security/pam_deny.so

password required /lib/security/pam_cracklib.so retry=3

password sufficient /lib/security/pam_unix.so nullok use_authtok shadow

password sufficient /lib/security/pam_ldap.so use_authtok

password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so

session required /lib/security/pam_unix.so

sesseion sufficient /lib/security/pam_ldap.so

# cat /etc/ldap.conf|sed -e '/^#/d' -e '/^$/d'

uri ldaps://auth.erup.damnkewl.net/

base dc=erup,dc=damnkewl,dc=net

ldap_version 3

port 636 

scope sub

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memberuid   

pam_password md5 

nss_base_passwd      ou=People,dc=erup,dc=damnkewl,dc=net?one

nss_base_shadow      ou=People,dc=erup,dc=damnkewl,dc=net?one

nss_base_group      ou=Group,dc=erup,dc=damnkewl,dc=net?one

ssl start_tls

ssl on 

# cat /etc/openldap/ldap.conf|sed -e '/^#/d' -e '/^$/d'

BASE    dc=erup,dc=damnkewl,dc=net

TLS_REQCERT     allow

URI ldaps://auth.erup.damnkewl.net

#  cat /etc/openldap/slapd.conf|sed -e '/^#/d' -e '/^$/d'

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/inetorgperson.schema 

include                 /etc/openldap/schema/kerberosobject.schema

include                 /etc/openldap/schema/misc.schema

database ldbm

suffix "dc=erup, dc=damnkewl, dc=net"

rootdn          "cn=Manager,dc=erup,dc=damnkewl,dc=net"

rootpw          {MD5}gpsos/ztDYiWWOCmUH2IJA==

directory       /var/lib/openldap-data

index           objectClass,uid,uidNumber,gidNumber eq

password-hash   {crypt}

password-crypt-salt-format      "$1$%.8s"

loglevel 256

TLSCertificateFile /etc/openldap/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

pidfile /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args 

allow bind_v2

access to dn=".*,dc=erup,dc=damnkewl,dc=net" attr=userPassword

        by dn="cn=root,dc=mylan,dc=net" write

        by self write

        by * auth

access to dn=".*,dc=erup,dc=damnkewl,dc=net" attr=mail

        by dn="cn=root,dc=mylan,dc=net" write

        by self write

        by * read

access to dn=".*,ou=People,dc=erup,dc=damnkewl,dc=net"

        by * read

access to dn=".*,dc=erup,dc=damnkewl,dc=net"

        by self write

        by * read

# cat /etc/conf.d/slapd

OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
```

and /var/log/messages:

```
Aug 10 03:11:39 thor slapd[10525]: conn=35 fd=9 ACCEPT from IP=217.157.176.91:34882 (IP=0.0.0.0:636)

Aug 10 03:11:39 thor slapd[10525]: conn=35 op=1 UNBIND

Aug 10 03:11:39 thor slapd[10525]: conn=35 fd=9 closed

Aug 10 03:11:39 thor slapd[10525]: conn=36 fd=9 ACCEPT from IP=217.157.176.91:34883 (IP=0.0.0.0:636)

Aug 10 03:11:39 thor slapd[10525]: conn=36 op=1 UNBIND

Aug 10 03:11:39 thor slapd[10525]: conn=36 fd=9 closed

Aug 10 03:11:39 thor slapd[10525]: conn=37 fd=9 ACCEPT from IP=217.157.176.91:34884 (IP=0.0.0.0:636)

Aug 10 03:11:39 thor slapd[10525]: conn=37 op=1 UNBIND

Aug 10 03:11:39 thor slapd[10525]: conn=37 fd=9 closed

Aug 10 03:11:39 thor slapd[10525]: conn=38 fd=9 ACCEPT from IP=217.157.176.91:34885 (IP=0.0.0.0:636)

Aug 10 03:11:39 thor slapd[10525]: conn=38 op=1 UNBIND

Aug 10 03:11:39 thor slapd[10525]: conn=38 fd=9 closed

Aug 10 03:11:39 thor slapd[10525]: conn=39 fd=9 ACCEPT from IP=217.157.176.91:34886 (IP=0.0.0.0:636)

Aug 10 03:11:39 thor slapd[10525]: conn=39 op=1 UNBIND

Aug 10 03:11:39 thor slapd[10525]: conn=39 fd=9 closed

Aug 10 03:11:40 thor slapd[10525]: conn=40 fd=9 ACCEPT from IP=217.157.176.91:34887 (IP=0.0.0.0:636)

Aug 10 03:11:40 thor slapd[10525]: conn=40 op=1 UNBIND

Aug 10 03:11:40 thor slapd[10525]: conn=40 fd=9 closed

Aug 10 03:11:40 thor slapd[10525]: conn=41 fd=9 ACCEPT from IP=217.157.176.91:34888 (IP=0.0.0.0:636)

Aug 10 03:11:40 thor slapd[10525]: conn=41 op=1 UNBIND

Aug 10 03:11:40 thor slapd[10525]: conn=41 fd=9 closed

Aug 10 03:11:40 thor slapd[10525]: conn=42 fd=9 ACCEPT from IP=217.157.176.91:34889 (IP=0.0.0.0:636)

Aug 10 03:11:40 thor slapd[10525]: conn=42 op=1 UNBIND

Aug 10 03:11:40 thor slapd[10525]: conn=41 fd=9 closed

Aug 10 03:11:40 thor slapd[10525]: conn=42 fd=9 ACCEPT from IP=217.157.176.91:34889 (IP=0.0.0.0:636)

Aug 10 03:11:40 thor slapd[10525]: conn=42 op=1 UNBIND

Aug 10 03:11:40 thor slapd[10525]: conn=42 fd=9 closed

Aug 10 03:11:42 thor slapd[10525]: conn=43 fd=9 ACCEPT from IP=217.157.176.91:34890 (IP=0.0.0.0:636)

Aug 10 03:11:42 thor slapd[10525]: conn=43 op=1 UNBIND

Aug 10 03:11:42 thor slapd[10525]: conn=43 fd=9 closed

Aug 10 03:11:42 thor slapd[10525]: conn=44 fd=9 ACCEPT from IP=217.157.176.91:34891 (IP=0.0.0.0:636)

Aug 10 03:11:42 thor slapd[10525]: conn=44 op=1 UNBIND

Aug 10 03:11:42 thor slapd[10525]: conn=44 fd=9 closed

Aug 10 03:11:42 thor slapd[10525]: conn=45 fd=9 ACCEPT from IP=217.157.176.91:34892 (IP=0.0.0.0:636)

Aug 10 03:11:42 thor slapd[10525]: conn=45 op=1 UNBIND

Aug 10 03:11:42 thor slapd[10525]: conn=45 fd=9 closed

Aug 10 03:11:42 thor slapd[10525]: conn=46 fd=9 ACCEPT from IP=217.157.176.91:34893 (IP=0.0.0.0:636)

Aug 10 03:11:42 thor login(pam_unix)[10657]: check pass; user unknown

Aug 10 03:11:42 thor login(pam_unix)[10657]: authentication failure; logname= uid=0 euid=0 tty=/dev/vc/1 ruser= rhost= 

Aug 10 03:11:42 thor slapd[10525]: conn=46 op=1 UNBIND

Aug 10 03:11:42 thor slapd[10525]: conn=46 fd=9 closed

Aug 10 03:11:45 thor slapd[10525]: conn=47 fd=9 ACCEPT from IP=217.157.176.91:34894 (IP=0.0.0.0:636)

Aug 10 03:11:45 thor login[10657]: pam_ldap: ldap_starttls_s: Operations error

Aug 10 03:11:48 thor slapd[10525]: conn=48 fd=14 ACCEPT from IP=217.157.176.91:34895 (IP=0.0.0.0:636)

Aug 10 03:11:48 thor login[10657]: FAILED LOGIN 1 FROM /dev/vc/1 FOR UNKNOWN, Authentication failure

Aug 10 03:11:48 thor slapd[10525]: conn=48 op=1 UNBIND

Aug 10 03:11:48 thor slapd[10525]: conn=48 fd=14 closed

```

Last edited by mikkele on Tue Aug 10, 2004 2:13 am; edited 2 times in total

----------

## norvalk

maybe http://www.gentoo.org/doc/en/ldap-howto.xml could be of some help to you? unfortunatelly i'm just starting to consider using ldap, so i can't be more of a help...  :Sad: 

----------

## mikkele

I started out with that but unfortunately it's hopelessly outdated.

----------

## weyhan

 *mikkele wrote:*   

> I'm really lost here.
> 
> Could someone please post their working config files or tell me what might be wrong with mine?
> 
> Mikkel.
> ...

 

I take your word that you have stored MD5 password in your directory (ones that begin with "{MD5}xxxxxxxxxx...").

 *mikkele wrote:*   

> My config files:
> 
> ```
> #  cat /etc/openldap/slapd.conf|sed -e '/^#/d' -e '/^$/d'
> 
> ...

 

But you have configured your slapd to use crypt password.

You can either change your slapd to use MD5 password or change your password in the directory to use crypt password.

 *mikkele wrote:*   

> I started out with that but unfortunately it's hopelessly outdated.

 

Not really that outdated. It's the migration tools that is outdated. If the migration tools is up to date, following the howto should not be a problem.

HTH

----------

## mikkele

 *Quote:*   

> I take your word that you have stored MD5 password in your directory (ones that begin with "{MD5}xxxxxxxxxx..."). 

 

Correct.

 *Quote:*   

> But you have configured your slapd to use crypt password.

 

AFAIK the combination

```
password-hash   {crypt}

password-crypt-salt-format      "$1$%.8s"
```

Is exactly the same as MD5. Changing slapd.conf to read 

```
password-hash {MD5}
```

Doesn't make it work either. And as my example ldapsearch shows slapd accepts my password.

 *Quote:*   

> Not really that outdated. It's the migration tools that is outdated. If the migration tools is up to date, following the howto should not be a problem.

 

From what I understand from other topics it's written for an older version of openldap which has some important differences. And koon doesn't keep it up to date.

Also it forgets to mention a few important steps.

for example it doesn't mention that /etc/ldap.conf should contain

```
pam-password {foo}
```

----------

## weyhan

 *mikkele wrote:*   

>  *Quote:*   But you have configured your slapd to use crypt password. 
> 
> AFAIK the combination
> 
> ```
> ...

 

Not really. Though I don't understand what is the different. All I know is that with the salt you are producing a MD5 hash that reads "$1$xxxxx..." while the password hash if produced by the openldap tools reads "{MD5}xxxx..." If I am not mistaken, the crypt and salt combination will only work in you copy your password hash from your /etc/shadow file.

Anyone who knows this better care to explain?

Also, your ldapsearch is not using the password hash from the directory. Instead it is using your password in your /etc/openldap/slapd.conf. So it's a different thing.

 *mikkele wrote:*   

> Doesn't make it work either. And as my example ldapsearch shows slapd accepts my password.

 

At closer look,  your logs looks like it is complaining about the TSL auth is failing. Have you tried to disable TSL and see if it work?

I remember I need to have the following line in my /etc/openldap/ldap.conf file when I use the ldap.pam file generated during openldap installation.

```
TLS_REQCERT     never
```

Then later I when I have found how to properly generate the certs I was could use the following line:

```
TLS_REQCERT     demand
```

 *mikkele wrote:*   

> From what I understand from other topics it's written for an older version of openldap which has some important differences. And koon doesn't keep it up to date.
> 
> Also it forgets to mention a few important steps.
> 
> for example it doesn't mention that /etc/ldap.conf should contain
> ...

 

The link norvalk's post is the official gentoo howto and it's not that out of date (well maybe with some info missing). Also, I don't believe it is maintained by koon. The link in your post is the howto writen by koon which is very out of date.

Anyway, if my suggestion (which is mostly based on my memory) still does not work, then I'd suggest you look at Koon's howto and take note on the link (near the top of the howto) to a much later post I've made. I have detailed how I have used koon's howto plus a lot of recearch to get openldap to authenticate users with the current openldap.

HTH

----------

## mikkele

 *Quote:*   

> Also, your ldapsearch is not using the password hash from the directory. Instead it is using your password in your /etc/openldap/slapd.conf. So it's a different thing. 

 

Then how is ldapsearch authenticating user mwe? That user is not mentioned in /etc/openldap/slapd.conf.

----------

## weyhan

 *mikkele wrote:*   

> Then how is ldapsearch authenticating user mwe? That user is not mentioned in /etc/openldap/slapd.conf.

 

ldapsearch does not authenticate user mwe. It only authenticate the user accessing it. Which is:

```
...

rootdn          "cn=Manager,dc=erup,dc=damnkewl,dc=net"

...
```

As you have setup in your /etc/openldap/slapd.conf.  :Wink: 

----------

## iZm

I have a howto here that may be of help. This link only covers central auth for nix users but there is a samba/ldap howto elsewhere on the site. 

The howtos on monkeybox.org.uk are specific to Gentoo and as Gentoo is such a fast moving distro are difficult to keep up to date but the ldap one is fairly new. There are also a couple of scripts to download that make command line creation of users/groups as simple as 

```
useradd.LDAP username

groupadd.LDAP groupname
```

It also covers the problem with the account objectclass that is added when using the migrationtools scripts.  

Hope it helps   :Smile: 

http://www.monkeybox.org.uk/docs/gentoo/ldap.html

----------

## weyhan

 *iZm wrote:*   

> I have a howto here that may be of help. This link only covers central auth for nix users but there is a samba/ldap howto elsewhere on the site. 

 

Where were you when I needed you!!   :Wink: 

----------

## mikkele

 *Quote:*   

> ldapsearch does not authenticate user mwe. It only authenticate the user accessing it. Which is:
> 
> Code:
> 
> ...
> ...

 

I must say I don't understand that. I use the the command

```
ldapsearch -D "uid=mwe,ou=People,dc=erup,dc=damnkewl,dc=net" -W
```

and enter the password for mwe which is not in /etc/openldap/slapd.conf.

But what the heck.

Anyway after commenting out ssl start_tls in /etc/ldap.conf  the log shows:

[qoute]Aug 10 15:57:52 thor slapd[23674]: conn=3 fd=10 ACCEPT from IP=217.157.176.91:33657 (IP=0.0.0.0:636)

Aug 10 15:57:52 thor slapd[23674]: conn=3 op=0 BIND dn="" method=128

Aug 10 15:57:52 thor slapd[23674]: conn=3 op=0 RESULT tag=97 err=0 text=

Aug 10 15:57:52 thor slapd[23674]: conn=3 op=1 SRCH base="ou=People,dc=erup,dc=damkewl,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uid=mwe))"

Aug 10 15:57:52 thor slapd[23674]: conn=3 op=1 RESULT tag=101 err=32 text=

Aug 10 15:57:52 thor login[23684]: pam_ldap: ldap_search_s No such object  <== This baffles me

Aug 10 15:57:54 thor slapd[23674]: conn=2 op=13 SRCH base="ou=People,dc=erup,dc=damkewl,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uid=mwe))"

Aug 10 15:57:54 thor slapd[23674]: conn=2 op=13 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Aug 10 15:57:54 thor slapd[23674]: conn=2 op=13 RESULT tag=101 err=32 text=

Aug 10 15:57:54 thor login[23684]: FAILED LOGIN 1 FROM /dev/vc/1 FOR UNKNOWN, Authentication failure

----------

## mikkele

Why the heck does this have to be so damn complicated?

----------

## weyhan

 *mikkele wrote:*   

> I must say I don't understand that. I use the the command
> 
> ```
> ldapsearch -D "uid=mwe,ou=People,dc=erup,dc=damnkewl,dc=net" -W
> ```
> ...

 

Humm... did not notice you had the "uid=mwe..." part specified before. Usually I would use the user specified in the /etc/openldap/slapd.conf. Not sure what is the different.

 *mikkele wrote:*   

> Anyway after commenting out ssl start_tls in /etc/ldap.conf  the log shows:
> 
> [qoute]...
> 
> Aug 10 15:57:52 thor slapd[23674]: conn=3 op=1 SRCH base="ou=People,dc=erup,dc=damkewl,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uid=mwe))"
> ...

 

This is the first time I have seen "damkewl" in your posting. The others were "damnkewl". If it is a typo when you change the identity of your net then it should not be a problem but to be safe, check for typo.

The other possibility is your acl. Try something simple before configuring it to full control. The following is the acl I use during setup. Only when I have got the authentication working, I change it to a more limiting settings.

```
access to attrs=userPassword,sambaLMPassword,sambaNTPassword

        by self write

        by anonymous auth

        by * none

access to *

        by * read

```

HTH

----------

## arkepp

If you haven't gotten any further:

I was getting lots of weird errors as well, for one thing all my settings were apparently correct and "getent passwd" returned the correct users, as did slapd seem to do when I looked at the debug output. PAM still refused my users though  :Sad: 

In the end I recompiled (with USE="ldap pam") pam, pam_ldap, nss_ldap and ssh and finally I rebooted the machine (I figured that nscd could be causing problems, I don't know exactly how it works). I suspect that some of the modules were compiled with an older version of openldap, but that is just a wild guess.

----------

