lists.arthurdejong.org
RSS feed

Re: authentication puzzle

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: authentication puzzle




Hi all,

Thank you all for the replies. Yes, the problem was /etc/pam_ldap.conf. Even though all servers were configured in /etc/nslcd.conf, pam_ldap.conf contained only the first server. Once the others were added to it, authentication worked.

Eneida


On 3/11/14 9:39 AM, Eneida Lima wrote:

Arthur,

Here is the info :

1. /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files

2. /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_ldap.so try_first_pass
auth        sufficient    pam_unix.so nullok use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
#account     sufficient    pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so crypt shadow nullok use_authtok use_first_pass
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
#session     optional      pam_ldap.so
session     required      pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

3. Output from 'nslcd -d' for an unsuccessful login:
nslcd: DEBUG: add_uri(ldaps://opends2.example.com/)
nslcd: DEBUG: add_uri(ldaps://opends1.example.com/)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/openldap/certs/server_cert.pem")
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,3)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/certs")
nslcd: version 0.7.5 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=601 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_shadow_byname(jdoe)
nslcd: [8b4567] DEBUG: myldap_search(base="ou=People,dc=example,dc=com", filter="(&(objectClass=shadowAccount)(uid=jdoe))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldaps://opends2.example.com/)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [8b4567] DEBUG: ldap_simple_bind_s("cn=agent,ou=profile,dc=example,dc=com","***") (uri="ldaps://opends2.example.com/")
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=601 uid=0 gid=0
nslcd: [7b23c6] DEBUG: nslcd_shadow_byname(jdoe)
nslcd: [7b23c6] DEBUG: myldap_search(base="ou=People,dc=example,dc=com", filter="(&(objectClass=shadowAccount)(uid=jdoe))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldaps://opends2.example.com/)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [7b23c6] DEBUG: ldap_simple_bind_s("cn=agent,ou=profile,dc=example,dc=com","***") (uri="ldaps://opends2.example.com/")
nslcd: [7b23c6] DEBUG: ldap_result(): end of results

4. output on the server side (opends2.example.com):

[11/Mar/2014:09:21:57 -0700] CONNECT conn=3974037 from=XXX.XXX.XXX.XXX:35097 to=YYY.YYY.YYY.YYY:636 protocol=LDAPS [11/Mar/2014:09:21:57 -0700] BIND REQ conn=3974037 op=0 msgID=1 type=SIMPLE dn="cn=agent,ou=profile,dc=example,dc=com" [11/Mar/2014:09:21:57 -0700] BIND RES conn=3974037 op=0 msgID=1 result=0 authDN="cn=agent,ou=profile,dc=example,dc=com" etime=0 [11/Mar/2014:09:21:57 -0700] SEARCH REQ conn=3974037 op=1 msgID=2 base="ou=People,dc=example,dc=com" scope=wholeSubtree filter="(&(objectClass=shadowAccount)(uid=jdoe))" attrs="shadowFlag,shadowMin,shadowMax,userPassword,shadowWarning,shadowInactive,uid,shadowExpire,shadowLastChange" [11/Mar/2014:09:21:57 -0700] SEARCH RES conn=3974037 op=1 msgID=2 result=0 nentries=1 etime=1 [11/Mar/2014:09:21:57 -0700] CONNECT conn=3974038 from=XXX.XXX.XXX.XXX:35102 to=YYY.YYY.YYY.YYY:636 protocol=LDAPS [11/Mar/2014:09:21:57 -0700] BIND REQ conn=3974038 op=0 msgID=1 type=SIMPLE dn="cn=agent,ou=profile,dc=example,dc=com" [11/Mar/2014:09:21:57 -0700] BIND RES conn=3974038 op=0 msgID=1 result=0 authDN="cn=agent,ou=profile,dc=example,dc=com" etime=1 [11/Mar/2014:09:21:57 -0700] SEARCH REQ conn=3974038 op=1 msgID=2 base="ou=People,dc=example,dc=com" scope=wholeSubtree filter="(&(objectClass=shadowAccount)(uid=jdoe))" attrs="shadowFlag,shadowMin,shadowMax,userPassword,shadowWarning,shadowInactive,uid,shadowExpire,shadowLastChange" [11/Mar/2014:09:21:57 -0700] SEARCH RES conn=3974038 op=1 msgID=2 result=0 nentries=1 etime=1

On the client side I have : Permission denied, please try again.

Thank you,

Eneida


On 3/6/14 12:04 PM, Eneida Lima wrote:

Hi,

I am told that we have 2 identical opends ldap servers. We set our clients to connect to both of them. In case one is not available, it fails over to the other one. It works fine for all our machines running redhat 5.X. I am setting up a new RHEL6.5 and I am using redhat distribution of nss-pam-ldap (nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64). All worked well, including authentication and automount, when I set nslcd with the first server. I then tried the second server. It does everything, but authenticate through ssh. I ran nslcd in debug mode (nslcd -d) and the output is identical when connecting to both servers, but one authenticates and the other one does not. The server certificate file, contains the certificate for both servers. I have switched them around and it did not make any difference. I can 'su - username' using the second server, and it gets all atributes and automounts the correct home directory from the file server. This is the only client that can not authenticate with the second server.

Here is my nslcd.conf :

******
uri ldaps://opends2.example.com/ ldaps://opends1.example.com/

base dc=example,dc=com

uid nslcd
gid ldap

scope sub

ssl yes
tls_cacertfile /etc/openldap/certs/server_cert.pem
tls_reqcert allow
tls_cacertdir /etc/openldap/certs

filter passwd (objectClass=*)

base  group  ou=Groups,dc=example,dc=com
base  passwd ou=People,dc=example,dc=com
base  shadow ou=People,dc=example,dc=com
base hosts   ou=Hosts,dc=example,dc=com

map    passwd homeDirectory    "$exHomeDirectory"
map shadow userPassword userPassword

binddn cn=agent,ou=profile,dc=example,dc=com
bindpw Btwgfd87

bind_timelimit 30
******

On the server side, I see a difference on attrs. From the log file, this is the search on the server that authenticates :

[06/Mar/2014:11:21:30 -0700] SEARCH REQ conn=123412728 op=1 msgID=2 base="ou=People,dc=example,dc=com" scope=wholeSubtree filter="(uid=jdoe)" attrs="host,authorizedService,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,shadowMax,shadowMin,shadowWarning,uidNumber"

and this is the one that does not authenticate :

[06/Mar/2014:11:28:38 -0700] SEARCH REQ conn=3932369 op=1 msgID=2 base="ou=People,dc=example,dc=com" scope=wholeSubtree filter="(&(objectClass=shadowAccount)(uid=jdoe))" attrs="shadowFlag,shadowMin,shadowMax,userPassword,shadowWarning,shadowInactive,uid,shadowExpire,shadowLastChange"

They say the ldap servers are identical and all other clients authenticate correctly... so it should be on the client side. What do you say ? Any idea what might be going on ?

Thank you,



--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/