Re: Upgrade from 0.7 to 0.8 having auth problems

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Upgrade from 0.7 to 0.8 having auth problems
Date: Thu, 22 Nov 2012 23:19:40 +0100

On Wed, 2012-11-21 at 16:28 -0600, Andy Colson wrote:
> I used this to build all the different packages to install:
> 
> http://slackbuilds.org/repository/14.0/system/nss-pam-ldapd/

I got it working without too many issues. This is what I did:

- install Slackware 14.0 32-bit x86 (first CD only)
- install packages: autoconf-2.69-noarch-1.txz,
  automake-1.11.5-noarch-1.txz, binutils-2.22.52.0.2-i486-2.txz,
  bison-2.5.1-i486-1.txz, dev86-0.16.17-i486-1.txz,
  gcc-4.7.1-i486-1.txz, gdb-7.5-i486-1.txz,
  kernel-headers-3.2.29_smp-x86-1.txz, linuxdoc-tools-0.9.67-i486-2.txz,
  m4-1.4.16-i486-1.txz, make-3.82-i486-3.txz,
  openldap-client-2.4.31-i486-2.txz, perl-5.16.1-i486-1.txz,
  python-2.7.3-i486-2.txz, strace-4.5.20-i486-1.txz,
  subversion-1.7.6-i486-1.txz
- check out svn version of nss-pam-ldapd:
  cd /some/dir
  svn co http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd
- build:
  ./autogen.sh
  ./configure --enable-warnings --disable-pam
  touch man/nslcd.8 man/nslcd.conf.5 man/pam_ldap.8 man/pynslcd.8
  make
  make install
  (the touch is needed because I haven't installed anything to generate
  the manual pages from docbook)
- set up/configure:
  useradd --system nslcd
  add ldap to the end of every service in /etc/nsswitch.conf (but only
  passwd and group should be required)
  add the following line to /etc/nsswitch.conf:
    shadow:         files ldap
- set the following configuration options in /etc/nslcd.conf:
  uri ldap://192.168.12.4/
  base dc=test,dc=tld
  binddn cn=admin,dc=test,dc=tld
  bindpw password
  map passwd userPassword userPassword
  map shadow userPassword userPassword

That was pretty much the things I had to do to get it working.

after starting nslcd we do some tests:
# getent passwd ecolden
ecolden:x:5972:1000:Estelle Colden:/home/ecolden:/bin/bash
# getent shadow ecolden
ecolden:kvho1EyqGnBdE:12302:::7:2::0

It is important to note that the passwd entry has an x in the password
field and the shadow entry has a hash that is not prefixed with {SMD5}
or similar. The passwd x indicates that the password is in the shadow
database and the hash needs to be in one of the supported formats (at
least that is the case for pam_unix). For this test I changed the
hashing in the LDAP server for this test user to an old crypt hash.

Doing the authentication test:

# su - nobody -s /bin/sh
$ su - ecolden
Password: 
No directory, logging in with HOME=/
$ id
uid=5972(ecolden) gid=1000 groups=1000,1006(hugegroup)

The debug output of nslcd for the su - ecolden is:

nslcd: [d062c2] DEBUG: connection from pid=3022 uid=0 gid=99
nslcd: [d062c2] <passwd=-1> DEBUG: myldap_search(base="dc=test,dc=tld", 
filter="(&(objectClass=posixAccount)(uidNumber=-1))")
nslcd: [d062c2] <passwd=-1> DEBUG: ldap_result(): end of results (0 total)
nslcd: [200854] DEBUG: connection from pid=3022 uid=0 gid=99
nslcd: [200854] <passwd="ecolden"> DEBUG: myldap_search(base="dc=test,dc=tld", 
filter="(&(objectClass=posixAccount)(uid=ecolden))")
nslcd: [200854] <passwd="ecolden"> DEBUG: ldap_result(): 
uid=ecolden,ou=lotsofpeople,dc=test,dc=tld
nslcd: [200854] <passwd="ecolden"> DEBUG: ldap_result(): end of results (1 
total)
nslcd: [b127f8] DEBUG: connection from pid=3022 uid=0 gid=99
nslcd: [b127f8] <shadow="ecolden"> DEBUG: myldap_search(base="dc=test,dc=tld", 
filter="(&(objectClass=shadowAccount)(uid=ecolden))")
nslcd: [b127f8] <shadow="ecolden"> DEBUG: ldap_result(): 
uid=ecolden,ou=lotsofpeople,dc=test,dc=tld
nslcd: [b127f8] <shadow="ecolden"> DEBUG: ldap_result(): end of results (1 
total)
nslcd: [16231b] DEBUG: connection from pid=3022 uid=0 gid=1000
nslcd: [16231b] <group/member="ecolden"> DEBUG: 
myldap_search(base="dc=test,dc=tld", 
filter="(&(objectClass=posixAccount)(uid=ecolden))")
nslcd: [16231b] <group/member="ecolden"> DEBUG: ldap_result(): 
uid=ecolden,ou=lotsofpeople,dc=test,dc=tld
nslcd: [16231b] <group/member="ecolden"> DEBUG: 
myldap_search(base="dc=test,dc=tld", 
filter="(&(objectClass=posixGroup)(|(memberUid=ecolden)(member=uid=ecolden,ou=lotsofpeople,dc=test,dc=tld)))")
nslcd: [16231b] <group/member="ecolden"> DEBUG: ldap_result(): 
cn=hugegroup,ou=groups,dc=test,dc=tld
nslcd: [16231b] <group/member="ecolden"> DEBUG: ldap_result(): end of results 
(1 total)
nslcd: [16e9e8] DEBUG: connection from pid=3022 uid=5972 gid=1000
nslcd: [16e9e8] <passwd=5972> DEBUG: myldap_search(base="dc=test,dc=tld", 
filter="(&(objectClass=posixAccount)(uidNumber=5972))")
nslcd: [16e9e8] <passwd=5972> DEBUG: ldap_result(): 
uid=ecolden,ou=lotsofpeople,dc=test,dc=tld
nslcd: [16e9e8] <passwd=5972> DEBUG: ldap_result(): end of results (1 total)

The 16231b request and later was after entering the password. The
<passwd=-1> request is a bit weird but the other ones seem logical.

So all in all I got everything working quite easily but I couldn't
reproduce the issue :(

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Re: Upgrade from 0.7 to 0.8 having auth problems, (continued)

Prev by Date: Re: Upgrade from 0.7 to 0.8 having auth problems
Next by Date: Re: Upgrade from 0.7 to 0.8 having auth problems
Previous by thread: Re: Upgrade from 0.7 to 0.8 having auth problems
Next by thread: Re: Upgrade from 0.7 to 0.8 having auth problems