# PAM/Ldap problems

## junky

Hi,

   I'm trying to setup a centralised LDAP server, with clients using it for authentication (all machines are Gentoo). The server running slapd seems to work fine including local authentication via PAM.

   I'm now trying to get clients to use the LDAP server for authentication. Using ....

http://www.monkeybox.org.uk/docs/gentoo/ldap.html as guidence.

    The clients can succesfully use ldapsearch to query the ldap server. I've made the advised changes to system-auth and nsswitch.conf but PAM seems to ignore these completely when using getent or when attempting to login.

    I've added ldap to my USE flags and re-emerged pam_ldap nss_ldap and pam, and rebooted. But still PAM doesn't attempt to use ldap.

    Using tcpdump I've monitored the traffic from the client to the server and there isn't a single packet sent from client to server on either of the ldap ports. However there clearly is during an ldapsearch.

     I've literaly cut and paste system-auth from the monkeybox.

     Has this been seen before ? 

     Can anybody advise ?

     Can I trace PAM ?

Thanks

Junky

----------

## weyhan

You need to setup /etc/ldap.conf. Both pam and nss uses this file. Even with nsswitch.conf setup correctly, if the ldap server can't be found, it will use the file version of the login credentials.

----------

## junky

Hi,

  Thanks for the response. If there was a problem with /etc/ldap.conf wouldn't this break ldapsearch ? ldapsearch works fine from the client, hence I think it's a problem with PAM.

Cheers

Junky

----------

## weyhan

 *junky wrote:*   

> Hi,
> 
>   Thanks for the response. If there was a problem with /etc/ldap.conf wouldn't this break ldapsearch ? ldapsearch works fine from the client, hence I think it's a problem with PAM.
> 
> 

 

Nope. Because ldapsearch uses /etc/openldap/ldap.conf for it's configuration while pam and nss uses /etc/ldap.conf. Notice there are two configuration file with the same name in different locations. 

You are right in that sense that PAM is the problem because PAM is not getting the correct configuration from /etc/ldap.conf

----------

## junky

Han,

   You were right. A bit more tweaking of /etc/ldap.conf now means that getent works ! Thanks for your assistance. Any idea why sshd would ignore it though ?

Thanks

Junky

----------

## weyhan

 *junky wrote:*   

> Han,
> 
>    You were right. A bit more tweaking of /etc/ldap.conf now means that getent works ! Thanks for your assistance.

 

No problem.

 *junky wrote:*   

> Any idea why sshd would ignore it though ?

 

User authentication is not handle by sshd (at least not with the gentoo default setting) but rather it is using pam to do the authentication. sshd is not really ignoring your ldap server. Problem like yours usually mean that pam can't connect to the ldap server therefore pam fallback to the file base user credentials. Which of course will not find the users that are in the ldap db.   :Wink: 

----------

## junky

Han,

   Once again you were spot on !

   Due to the problems I was having with /etc/ldap.conf, I backed out the changes I had made to system-auth to ensure I didn't lock my self out of the system. Once I fixed up /etc/ldap.conf and put my ldap version system-auth back in place PAM started working.

   Thanks again for all your assitance, it is greatly appreciated.

Junky

----------

## weyhan

 *junky wrote:*   

> Han,
> 
>    Once again you were spot on !

 

That's the result of 2 months of research and trial plus lot's of error.  :Wink: 

 *junky wrote:*   

>    Due to the problems I was having with /etc/ldap.conf, I backed out the changes I had made to system-auth to ensure I didn't lock my self out of the system. Once I fixed up /etc/ldap.conf and put my ldap version system-auth back in place PAM started working.

 

Humm... As you have also noted that you could get lock out. Maybe it might be a good idea to leave at least your root account in the regular file base credential along with maybe a few system account and groups. It's very easy to get PAM to authenticate user from the file base version if that user is not found in the ldap version. That way, even when your ldap server is down, you can still login to the system.

 *junky wrote:*   

>    Thanks again for all your assitance, it is greatly appreciated.

 

Glad to, so long as you did not ask me to do your homework.   :Wink: 

----------

## Skywacker

I've been following the http://www.monkeybox.org.uk/docs/gentoo/ldap.html howto as well. I finally got things working in the sense that I can install LDAP, start slapd, migrate data, ldapsearch and find all that data, but getent passwd only returns users from /etc/passwd. 

I understand that /etc/ldap.conf is what getent uses. I've copied the example from monkeybox exactly(changing the domain names). I've tried using 

Since ldapsearch is working, and it uses /etc/openldap/ldap.conf, I tried mimicking some settings there into /etc/ldap.conf. 

I've tried restarted slapd between every change and tail-ing /var/log/messages after each attempt. nothing works, and nothing shows up in the logs. 

When slapd is NOT running and I try to ssh in, I get this in the messages log: 

Aug 20 11:23:17 b2 sshd[20117]: pam_ldap: ldap_simple_bind Can't contact LDAP server

Aug 20 11:23:17 b2 sshd[20115]: Accepted keyboard-interactive/pam for root from 192.168.0.1 port 13236 ssh2

Aug 20 11:23:17 b2 sshd(pam_unix)[20118]: session opened for user root by root(uid=0)

But if slapd IS running, I get no such complaint, only:  b2 slapd[20036]: bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002)

The way I understand it from posts above is ssh relies on pam, pam looks in nsswitch, my nsswitch says to try compat and ldap, it doesn't see the ldap server at all, and checks the password versus /etc/passwd. So when slapd is running, pam CAN contact the LDAP server, but I'm getting no results. 

I'll post my relevant config files:

/etc/slapd.conf

```

#0penLDAP:pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31

# kurtExp$

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

# Schema and objectClass definitions

include    /etc/openldap/schema/core.schema

include    /etc/openldap/schema/cosine.schema

include    /etc/openldap/schema/nis.schema

include    /etc/openldap/schema/inetorgperson.schema

#include    /etc/openldap/schema/samba.schema

# Schema check allows for forcing entries to

# match schemas for their objectClasses's

schemacheck   on

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral   ldap://root.openldap.org

pidfile    /var/run/openldap/slapd.pid

argsfile   /var/run/openldap/slapd.args

Loglevel   0

# Load dynamic backend modules:

# modulepath   /usr/lib/openldap/openldap

# moduleload   back_ldap.la

# moduleload   back_ldbm.la

# moduleload   back_passwd.la

# moduleload   back_shell.la

# Password Hash

password-hash  {crypt}

# TLS stuff

# Keep the following commented until everything else is working

#

#TLSCertificateFile     /etc/ssl/certs/slapdcert.pem

#TLSCertificateKeyFile  /etc/ssl/certs/slapdkey.pem

#TLSCACertificateFile   /etc/ssl/certs/slapdcert.pem

#######################################################################

# ldbm database definitions

#######################################################################

database ldbm

suffix "dc=cvucluster,dc=localdomain"

#suffix "o=My Organization Name,c=US"

rootdn "cn=Manager,dc=cvucluster,dc=localdomain"

#rootdn "cn=Manager,o=My Organization Name,c=US"

# Cleartext passwords, especially for the rootdn, should

# be avoid. See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

#rootpw {MD5}Nmf1z1bcJZWVpoSbeGQbsg==

rootpw {MD5}myencyptedpassword==

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd/tools. Mode 700 recommended.

directory /var/lib/openldap-ldbm

# Indices to maintain

index   objectClass   eq

index   cn            pres,sub,eq

index   sn            pres,sub,eq

## required to support pdb_getsampwnam

#index   uid           pres,sub,eq

## required to support pdb_getsambapwrid()

#index   displayName   pres,sub,eq

## uncomment these if you are storing posixAccount and

## posixGroup entries in the directory as well

index   uidNumber            eq

index   gidNumber            eq

index   memberUid            eq

#index   sambaSID             eq

#index   sambaPrimaryGroupSID eq

#index   sambaDomainName      eq

index   default              sub

# Save the time that the entry gets modified, for database #1

lastmod    on

# Where to store the replica logs for database #1

# replogfile /var/lib/openldap-slurp/replog

# The userPassword by default can be changed

# by the entry owning it if they are authenticated.

# Others should not be able to see it, except the

# admin entry below

# These access lines apply to this database only

access to *

        by dn=''uid=root,ou=People,dc=cvucluster,dc=localdomain'' write

        by dn="cn=Manager,dc=cvucluster,dc=localdomain" write

        by users read

        by anonymous auth

        by * search

#access to attribute=userPassword,gecos,description,sambaLMPassword,sambaNTPasswo

rd

access to attribute=userPassword,gecos,description

        by dn=''cn=Manager,dc=cvucluster.localdomain'' write

        by dn=''uid=root,ou=People,dc=cvucluster,dc=localdomain'' write

        by self write

        by anonymous auth

        by * none

#access to everything for manager

access to *

        by dn="cn=Manager,dc=cvucluster,dc=localdomain" write

        by * read

```

/etc/openldap.ldap.conf

```

BASE            dc=cvucluster, dc=localdomain

TLS_REQCERT  allow

URI ldap://b2.cvucluster.localdomain

```

/etc/ldap.conf

```

host                 127.0.0.1

BASE                 dc=cvucluster,dc=localdomain

URI                     ldap://b2.cvucluster.localdomain

scope                one

pam_filter           objectclass=posixaccount

pam_login_attrubute  uid

pam_member_attribute memberuid

nss_base_passwd      ou=People,dc=cvucluster,dc=localdomain?one

nss_base_shadow      ou=People,dc=cvucluster,dc=localdomain?one

nss_base_group       ou=Group,dc=cvucluster,dc=localdomain?one

nss_hosts            ou=Hosts,dc=cvucluster,dc=localdomain?one

pam_password         exop

# if this is the /etc/ldap.conf that is local to the server,

# i.e not a client machine then

# the following can stay commented, else uncomment

#ssl start_tls

#ssl on

#suffix  "dc=cvucluster,dc=localdomain"

```

/etc/conf.d/slapd

```

#OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

```

/etc/pam.d/system-auth

```
#%PAM-1.0

auth       required     /lib/security/pam_env.so

auth       sufficient   /lib/security/pam_unix.so likeauth nullok

auth       sufficient   /lib/security/pam_ldap.so use_first_pass

auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so

account    sufficient   /lib/security/pam_ldap.so

password   required     /lib/security/pam_cracklib.so retry=3

password   sufficient   /lib/security/pam_ldap.so use_authtok

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so

session    optional     /lib/security/pam_ldap.so

session    required     /lib/security/pam_unix.so

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=076

```

/etc/nsswitch.conf

```

passwd:      compat ldap

shadow:      compat ldap

group:       compat ldap

hosts:       files dns ldap

```

and like I said ldapsearch returns results from the ldap server whereas getent does not.

And finally, I emerged openldap pam_ldap nss_ldap migrationtools with these USE flags:

```
USE="-kde -gnome pam -qt -qtmt -quicktime tcpd -X php mysql openssl f77 ldap ssh tls ssl crpyt "
```

Any clues? Thanks in advance!!

-Sky

----------

## Skywacker

I changed the logging level to 2048 and now see this in /var/log/messages when I try to ssh in:

 *Quote:*   

> pam_ldap: ldap_simple_bind Can't contact LDAP server
> 
> Aug 20 11:55:54 b2 sshd[20486]: Accepted keyboard-interactive/pam for root from 192.168.0.1 port 9978 ssh2
> 
> Aug 20 11:55:54 b2 sshd(pam_unix)[20491]: session opened for user root by root(uid=0)
> ...

 

----------

## weyhan

 *Skywacker wrote:*   

> 
> 
> /etc/ldap.conf 
> 
> ```
> ...

 

Here is your problem. You only need one of the above.

----------

