Re: Need help in integration of pam and ldap using nss-pam-ldapd

[William MacAllister <whm [at] dropbox.com>]

I am guessing you are experimenting with the user 'ldap_pam_uid+uidNumber=22222222'. Very strange username. The dump you sent for that usee does not show all of the attributes so it is hard to tell you much. about it, but I would be surprised if you really intend that to be the UID.

dn: uid=ldap_pam_uid+uidNumber=22222222,ou=system

objectClass: posixAccount

objectClass: top

objectClass: posixGroup

One way to get to see if you have your nslcd configuration working is with the genent command.  For example:

getent passwd <someuid>

Bill

On Wed, May 24, 2017 at 11:29 AM, Kedar Sirshikar (ksirshik) <ksirshik [at] cisco.com> wrote:

Hi,

Sorry for the inconvenience caused.

I updated nslcd.conf to point ‘base’ to ‘ou=system’ and restarted nslcd using ‘nslcd –d’

Please refer below updated user with posixAccount and posixGroup but still PAM is not reaching LDAP. Can you please advise if I am missing anything?

 

[root@AIO-ANDSF ~]# ldapsearch -H ldap://10.24.19.141:10389 -x -D "uid=ldap_pam_uid+uidNumber=22222222,ou=system" -W -b "ou=system" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"

Enter LDAP Password: 

# extended LDIF

#

# LDAPv3

# base <ou=system> with scope oneLevel

# filter: (objectClass=*)

# requesting: hasSubordinates objectClass 

#

 

# pam_ldap, system

dn: uid=pam_ldap,ou=system

objectClass: top

objectClass: inetOrgPerson

objectClass: person

objectClass: organizationalPerson

 

# ldap_pam_uid + 22222222, system

dn: uid=ldap_pam_uid+uidNumber=22222222,ou=system

objectClass: posixAccount

objectClass: top

objectClass: posixGroup

 

# configuration, system

dn: ou=configuration,ou=system

objectClass: top

objectClass: organizationalUnit

 

# consumers, system

dn: ou=consumers,ou=system

objectclass: top

objectclass: organizationalUnit

 

# sysPrefRoot, system

dn: prefNodeName=sysPrefRoot,ou=system

objectClass: top

objectClass: organizationalUnit

objectClass: extensibleObject

 

# search result

search: 2

result: 0 Success

 

# numResponses: 6

# numEntries: 5

[root@AIO-ANDSF ~]# 

 

Also, it will be a great help if you point out how to debug logs for PAM.

PAM is expected to communicate to ldap after firing commands like ‘pwauth’ and ‘getent passwd’ but PAM is still referring ‘pam_unix.so’ for ‘auth’ module.

 

Regards,

Kedar.

 

From: William MacAllister <whm [at] dropbox.com>
Date: Wednesday, May 24, 2017 at 12:58 PM

To: "Kedar Sirshikar (ksirshik)" <ksirshik [at] cisco.com>
Cc: "nss-pam-ldapd-users@lists.arthurdejong.org" <nss-pam-ldapd-users@lists.arthurdejong.org>
Subject: Re: Need help in integration of pam and ldap using nss-pam-ldapd

 

Don't send me screen shots.  How do you know I am not using a screen reader?  How do you know that no one on the list is using a screen reader?  It is poor netiquette to send any binaries to a distribution list.

 

The screen shot does not show a valid posixAccount. Where do you expect a UIDnumber to come from if the user's entry doesn't have it?  You need to create entries that have the posixAccount object class.

 

I don't do random WebExs.

 

Bill

 

On Wed, May 24, 2017 at 9:47 AM, Kedar Sirshikar (ksirshik) <ksirshik [at] cisco.com> wrote:

Hi,

Please refer attached screen shot for LDAP.

I will also update my nslcd.conf and test once more.

 

In case if you have some time, we can do a quick WebEx meeting so that I can share my screen and we can check this issue together.

 

Regards,

Kedar.

 

From: William MacAllister <whm [at] dropbox.com>
Date: Wednesday, May 24, 2017 at 12:40 PM

To: "Kedar Sirshikar (ksirshik)" <ksirshik [at] cisco.com>
Cc: "nss-pam-ldapd-users@lists.arthurdejong.org" <nss-pam-ldapd-users@lists.arthurdejong.org>
Subject: Re: Need help in integration of pam and ldap using nss-pam-ldapd

 

Well, the ldapsearch you included shows a base dn of ou=system and your nslcd.conf has a base of dc=example,dc=com. You need to fix that first.

 

I don't see a user entry in your ldap.  Do you have any in the directory?  I would expect to see entries something like:

 

$ ldapsearch uid=someuser @posixAccount @inetorgperson @person

dn: uid=someuser,cn=people,dc=somewhere,dc=com

cn: First Last

objectClass: top

objectClass: person

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

loginShell: /bin/bash

sn: Last

homeDirectory: /home/someuser

mail: someuser [at] somewhere.com

givenName: First

uid: someuser

uidNumber: 18820

gidNumber: 18820

 

Bill

 

On Wed, May 24, 2017 at 9:02 AM, Kedar Sirshikar (ksirshik) <ksirshik [at] cisco.com> wrote:

I had tested by turning off NSCD.

ldapsearch is working and sample output is as below

 

[root@AIO-ANDSF ~]# ldapsearch -H ldap://10.24.19.141:10389 -x -D "uid=pam_ldap,ou=system" -W -b "ou=system" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"

Enter LDAP Password: 

# extended LDIF

#

# LDAPv3

# base <ou=system> with scope oneLevel

# filter: (objectClass=*)

# requesting: hasSubordinates objectClass 

#

 

# pam_ldap, system

dn: uid=pam_ldap,ou=system

objectClass: top

objectClass: inetOrgPerson

objectClass: person

objectClass: organizationalPerson

 

# configuration, system

dn: ou=configuration,ou=system

objectClass: top

objectClass: organizationalUnit

 

# consumers, system

dn: ou=consumers,ou=system

objectclass: top

objectclass: organizationalUnit

 

# sysPrefRoot, system

dn: prefNodeName=sysPrefRoot,ou=system

objectClass: top

objectClass: organizationalUnit

objectClass: extensibleObject

 

# search result

search: 2

result: 0 Success

 

# numResponses: 5

# numEntries: 4

[root@AIO-ANDSF ~]# 

 

Please find attached files.

 

Regards,

Kedar.

 

From: William MacAllister <whm [at] dropbox.com>
Date: Wednesday, May 24, 2017 at 11:43 AM
To: "Kedar Sirshikar (ksirshik)" <ksirshik [at] cisco.com>
Cc: "nss-pam-ldapd-users@lists.arthurdejong.org" <nss-pam-ldapd-users@lists.arthurdejong.org>
Subject: Re: Need help in integration of pam and ldap using nss-pam-ldapd

 

First, just simple ldapsearches are working, right?

 

Frequently nscd is also install for you by your package management system when nss-pam-ldapd is installed.  While you are testing it is best to turn it off because a stale cache can cause an assortment of problems.  Turn of nscd if it is installed and try again.

 

If that doesn't work post your nslcd.conf and the ldif for a user, i.e. the output from 'ldapsearch uid=someuser'.

 

Bill

 

On Tue, May 23, 2017 at 4:44 PM, Kedar Sirshikar (ksirshik) <ksirshik [at] cisco.com> wrote:

Hi team,

I am trying to do a POC to integrate PAM with LDAP. After exploring on google, I came to know that I can use ‘nss-pam-ldapd’ package.

 

For LDAP server, I am using ApacheDS plug-in from Eclipse.

 

For client, I installed ‘nss-pam-ldapd’ on CentOS 6.8. I followed ‘https://arthurdejong.org/nss-pam-ldapd/setup’ wiki to update PAM and NSLCD configurations.

I can see that ldapsearch is working fine but I am not able to connect to LDAP through PAM and NSLCD.

I am testing based on below two approaches:

1.       I am using ‘pwauth’ which is expected to authenticate user based on PAM-LDAP integration.

2.       I tried ‘getent passwd’ command but I do not get any user from LDAP

I do not even see any logs getting generated. May I know how to activate logs for PAM, NSS, NSLCD?

 

I am very novice to all these concepts so please help me in understanding/fixing above issue.

Also, kindly let me know if you need more details from my side.

Thank you!

 

Regards,

Kedar.

 

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

 

--

Bill MacAllister

Corp SRE, Dropbox

 

--

Bill MacAllister

Corp SRE, Dropbox

 

--

Bill MacAllister

Corp SRE, Dropbox

--

Bill MacAllister

Corp SRE, Dropbox

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/