nss_ldap and pam_ldap configuration

DJ Lucas dj at lucasit.com
Mon Jun 14 23:27:44 PDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guys, I need another set of eyes on this one...I know it is something
simple (probably even obvious), but I can't for the life of me see it
now.  I'm building a test server (on LFS-6.6 host), to place all users
in LDAP, (eventually a similar config will remove the necessity of the
flat files).  For some reason, pam_ldap is not authenticating correctly,
and I just can't see it.  All passwords are 'password' just FYI (it is
only a test server for POC, so no worries about posting passwords).
I've wiped everything about 10 times now and started fresh yet again.

I've populated the directory using the IdealX smbldap tools.  No
kerberos or tls to worry about for now.  Samba is working correctly, as
are ldap binds using "-x -D uid=root,ou=Users,dc=lucasit,dc=local -W"
and supplying the password of 'password', Samba config files are not
listed here, but the rest of the directory information is, including a
full ldif.

What I'm actually seeing upon login is that the password is prompted for
twice, once for the normal password and once again for LDAP, which
shouldn't be happening because of the try_first_pass parameter to
pam_ldap.so.  Authentication is actually failing because it is a
sufficient directive, not required, but the root user can still log in
using files.

I was thinking that it might be related to the sasldb support in
openldap, but I don't think so as the login errors when set to required
do not mention sasl bind (as with openldap tools when omitting simple
bind switch (-x).

Below are the files necessary to make it all work (I think), separated
by star characters, additional info is available upon request.

TIA -- DJ



PS - Yes I'm competing for the "Useless Use of cat" award!

*********************************************************************
root at anu:~ $ cat /etc/pam.d/login
# Begin /etc/pam.d/login

auth        requisite      pam_nologin.so
auth        required       pam_securetty.so
auth        required       pam_unix.so
auth        sufficient     pam_ldap.so     try_first_pass
account     required       pam_access.so
account     required       pam_unix.so
account     sufficient     pam_ldap.so
session     required       pam_env.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so      dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so
session     sufficient     pam_ldap.so
password    required       pam_cracklib.so  retry=3
password    required       pam_unix.so      md5 shadow use_authtok
password    sufficient     pam_ldap.so      try_first_pass

# End /etc/pam.d/login



*********************************************************************
root at anu:~ $ cat /etc/nsswitch.conf
# Begin /etc/nsswitch.conf

passwd: ldap files
group: ldap files
shadow: ldap files

hosts: files dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

# End /etc/nsswitch.conf



*********************************************************************
root at anu:~ $ cat /etc/ldap.conf
BASE       dc=lucasit,dc=local
HOST       ldap://127.0.0.1
pam_crypt  local



*********************************************************************
root at anu:~ $ cat /etc/openldap/ldap.conf
base dc=lucasit,dc=local
uri ldap://anu.lucasit.local

bind_policy soft
bind_timelimit 10

host localhost
idle_timelimit 3600
ldap_version 3

nss_base_group  ou=Groups,dc=lucasit,dc=local?one
nss_base_passwd ou=Users,dc=lucasit,dc=local?one
nss_base_passwd ou=Computers,dc=lucasit,dc=local?one
nss_base_shadow ou=Users,dc=lucasit,dc=local?one

nss_connect_policy persist
nss_paged_results yes

pagesize 1000
port 389
scope one
timelimit 30



*********************************************************************
root at anu:~ $ cat /etc/nss_ldap.conf
base dc=lucasit,dc=local
uri ldap://anu.lucasit.local

bind_policy soft
bind_timelimit 10

host localhost
idle_timelimit 3600
ldap_version 3

nss_base_group  ou=Groups,dc=lucasit,dc=local?one
nss_base_passwd ou=Users,dc=lucasit,dc=local?one
nss_base_passwd ou=Computers,dc=lucasit,dc=local?one
nss_base_shadow ou=Users,dc=lucasit,dc=local?one

nss_connect_policy persist
nss_paged_results yes

pagesize 1000
port 389
scope one
timelimit 30



*********************************************************************
root at anu:~ $ cat /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/samba.schema

# Define global ACLs to disable default read access.

#### Note, these ACLs were temporarily commented out so I could show
#### the passwords in the ldapsearch output below, which I just
#### realized that they were incorrect, but are of no importance to the
#### current issue with pam_ldap.

#access to attrs=sambaLMPassword
#	by self write
#	by anonymous auth
#	by dn.base="cn=root,dc=lucasit,dc=local" write
#	by * none

#access to attrs=sambaNTPassword
#        by self write
#        by anonymous auth
#        by dn.base="cn=root,dc=lucasit,dc=local" write
#        by * none

#access to attrs=userPassword
#        by self write
#        by anonymous auth
#        by dn.base="cn=root,dc=lucasit,dc=local" write
#        by * none

#access to *
#	by self write
#	by dn.base="cn=root,dc=lucasit,dc=local" write
#	by users read

# Set loglevel to 256...good logs on local4 facility
#loglevel 256

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/srv/ldap/run/slapd.pid
argsfile	/srv/ldap/run/slapd.args

# Load dynamic backend modules:
# modulepath	/usr/sbin/openldap
# moduleload	back_bdb.la
# moduleload	back_hdb.la
# moduleload	back_ldap.la

#######################################################################
# BDB database definitions
#######################################################################

database	bdb
suffix		"dc=lucasit,dc=local"
rootdn		"cn=Manager,dc=lucasit,dc=local"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw		{SSHA}8y3KylLSw4G/EZx+0sDcsrbHVvHWW7ds

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/srv/ldap/openldap-data
# Indices to maintain
index	objectClass		eq
index	cn			pres,sub,eq
index	sn			pres,sub,eq
index	uid			pres,sub,eq
index	displayName		pres,sub,eq
index	uidNumber		eq
index	gidNumber		eq
index	memberUID		eq,subinitial
index	mail			eq,subinitial
index	givenname		eq,subinitial
index	sambaSID		eq
index	sambaPrimaryGroupSID	eq
index	sambaDomainName		eq
index	default			sub




*********************************************************************
root at anu:~ $ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=lucasit,dc=local> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# lucasit.local
dn: dc=lucasit,dc=local
objectClass: dcObject
objectClass: organization
o: lucasit
dc: lucasit

# Users, lucasit.local
dn: ou=Users,dc=lucasit,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Users

# Groups, lucasit.local
dn: ou=Groups,dc=lucasit,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Groups

# Computers, lucasit.local
dn: ou=Computers,dc=lucasit,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Computers

# root, Users, lucasit.local
dn: uid=root,ou=Users,dc=lucasit,dc=local
cn: root
sn: root
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\anu\root
sambaHomeDrive: H:
sambaPrimaryGroupSID: S-1-5-21-1997694480-2877811493-4162974799-512
sambaSID: S-1-5-21-1997694480-2877811493-4162974799-500
loginShell: /bin/bash
gecos: Netbios Domain Administrator
mail: administrator at lucasit.local
mail: administrator at lucasit.com
mail: postmaster at lucasit.local
mail: postmaster at lucasit.com
mail: hostmater at lucasit.com
mail: abuse at lucsit.com
sambaLMPassword: E52CAC67419A9A224A3B108F3FA6CB6D
sambaAcctFlags: [U]
sambaNTPassword: 8846F7EAEE8FB117AD06BDD830B7586C
sambaPwdLastSet: 1276580302
sambaPwdMustChange: 87676580302
userPassword:: e1NTSEF9ZW84M2s0RkNRcGpwQ0lNd3dWVkJNbWhaN1NCQ2R6VmE=

# nobody, Users, lucasit.local
dn: uid=nobody,ou=Users,dc=lucasit,dc=local
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 99
uid: nobody
uidNumber: 99
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\anu\nobody
sambaHomeDrive: H:
sambaPrimaryGroupSID: S-1-5-21-1997694480-2877811493-4162974799-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD        ]
sambaSID: S-1-5-21-1997694480-2877811493-4162974799-2998
loginShell: /bin/bash

# Domain Admins, Groups, lucasit.local
dn: cn=Domain Admins,ou=Groups,dc=lucasit,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-1997694480-2877811493-4162974799-512
sambaGroupType: 2
displayName: Domain Admins

# Domain Users, Groups, lucasit.local
dn: cn=Domain Users,ou=Groups,dc=lucasit,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-1997694480-2877811493-4162974799-513
sambaGroupType: 2
displayName: Domain Users

# Domain Guests, Groups, lucasit.local
dn: cn=Domain Guests,ou=Groups,dc=lucasit,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-1997694480-2877811493-4162974799-514
sambaGroupType: 2
displayName: Domain Guests

# Domain Computers, Groups, lucasit.local
dn: cn=Domain Computers,ou=Groups,dc=lucasit,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-1997694480-2877811493-4162974799-515
sambaGroupType: 2
displayName: Domain Computers

# Administrators, Groups, lucasit.local
dn: cn=Administrators,ou=Groups,dc=lucasit,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the
computer/sambaDom
 ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators

# Account Operators, Groups, lucasit.local
dn: cn=Account Operators,ou=Groups,dc=lucasit,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators

# Print Operators, Groups, lucasit.local
dn: cn=Print Operators,ou=Groups,dc=lucasit,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators

# Backup Operators, Groups, lucasit.local
dn: cn=Backup Operators,ou=Groups,dc=lucasit,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up
files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators

# Replicators, Groups, lucasit.local
dn: cn=Replicators,ou=Groups,dc=lucasit,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators

# LUCASIT, lucasit.local
dn: sambaDomainName=LUCASIT,dc=lucasit,dc=local
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: LUCASIT
sambaSID: S-1-5-21-1997694480-2877811493-4162974799
uidNumber: 10000
gidNumber: 10000
sambaPwdHistoryLength: 0
sambaMaxPwdAge: -1

# search result
search: 2
result: 0 Success

# numResponses: 17
# numEntries: 16




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBAgAGBQJMFx1cAAoJEEuKOnIORKixWZIP/inl6h1N+YBxxoMddEq4Wxb4
NUHmd0QtWernd4sYhItLF3u2jsz15+M4+Q6SmV4216nFqCtfL6RFnuWgB2QB2vQl
7o5xiztfxkGnwFfZXvpyw5HKtB88nmcM5GBvmrzdSBN8wwM2iEwO2niLWY8TwFBR
KhZ/XMAmZ8Tt9dyGMHhVVceXqnJxp6OTloU2OEmCnky7/D69wb2Pf5ckHCRfVGjZ
NF5Rdr2in8BgAWDJ7/5zu/7ioemz6t21tjPjdb2QDxfjxnXaKjOkVk93L9XkjCBh
2nYVZSt6fQKIcv3Px0fOv5csrjdopsSNGQb9hCj3gopYZx4EGPAvkKtdnN1qDDL/
orGNw2z4IA7FVU91Hyw+MZCQ6CgrPPZLHN0zMdEPEUPGXx2nt8YwOZDHfAknweYE
/+AcaLLKqGZDl1k055k51s+JDPUQQ+NMKxp04IpI6gCeh4ebwGl9BxGghOdO6Pi1
VJWAGoGc9mkfeE3qrvyT+SbxmeIkrQPE/uSYxiCLXiAk7DR93qz0nHxkcz6c03x9
aAziqb35DW2jYECrAzp0hPV0Qc9Jk6fQ5bIWRE3fxzMBxYtWdMChUIlM2laisrmp
iH1LTVVKaNDJduTLW1z6j5srghICTf+8LIQSN18EN+QbebJJ0PlonnwQqgNm1Zf7
6HoSHG9Mvbk8KfiMtLJq
=A5zl
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content, and is believed to be clean.




More information about the blfs-support mailing list