Hi team,
As I told in last email I was able to do authentication for the users. LDIF is as below
version: 1
dn: uid=uid_1,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_1
gidNumber: 1
homeDirectory: /
sn: sn_1
uid: uid_1
uidNumber: 1
userPassword:: e1NTSEF9S256MGpZTjgycXpGL2src3hjT3hhbi9FbmxHS2V1WHVEVWRGUFE9P
Q==
dn: dc=example,dc=com
objectclass: top
objectclass: domain
dc: example
dn: uid=uid_2,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_2
gidNumber: 2
homeDirectory: /
sn: sn_2
uid: uid_2
uidNumber: 2
userPassword:: e1NTSEF9aW90Q2V6VjFQMER4YXh0VlVhYlZoQWZGVHZPRTVBU3lqYjBjeEE9P
Q==
Now I want to authenticate users created under ‘cn=Administrators,ou=groups,ou=system’. LDIF is as below
version: 1
dn: cn=Administrators,ou=groups,ou=system
objectClass: groupOfUniqueNames
objectClass: top
cn: Administrators
uniqueMember: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
dn: uid=uid_admin,cn=Administrators,ou=groups,ou=system
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_admin
gidNumber: 1
homeDirectory: /
sn: sn_admin
uid: uid_admin
uidNumber: 1
userPassword:: e1NTSEF9OCtOYWFvZGdBbHB1R3VnN0VWbEhCNks3QzNKeDlQbHN2Ukh1QUE9P
Q==
I tried updating nslcd.conf file by adding “base group ‘cn=Administrators,ou=groups,ou=system’” and restarted nslcd but user
uid_admin is still not getting authenticated.
Can you please help me in knowing what I may be missing?
Regards,
Kedar.
From:
"Kedar Sirshikar (ksirshik)" <ksirshik@cisco.com>
Date: Friday, May 26, 2017 at 9:47 AM
To: William MacAllister <whm@dropbox.com>
Cc: "nss-pam-ldapd-users@lists.arthurdejong.org" <nss-pam-ldapd-users@lists.arthurdejong.org>
Subject: Re: Need help in integration of pam and ldap using nss-pam-ldapd
I followed
your suggestion to create user with ‘PosixAccount’. After creating such user, I could see successful authentication happening.
Even ‘getent passwd’ is giving me 2 users from LDAP in the output.
[root@AIO-ANDSF ~]# getent passwd
uid_1:{SSHA}vGIEQPhcv197P0W7A5nbruxQpkl3mp0Su/zMKQ==:1:1:cn_1:/:
uid_5:{SSHA}xoRbmRrPn6m9WsYI91kaJhVpjCtl6Uj+cHAd7Q==:5:5:cn_5:/:
[root@AIO-ANDSF ~]#
Also, pwauth is working fine.
[root@AIO-ANDSF ~]# pwauth
uid_1
cisco123
[root@AIO-ANDSF ~]# echo $?
0
[root@AIO-ANDSF ~]# pwauth
uid_1
uid_1
[root@AIO-ANDSF ~]# echo $?
1
[root@AIO-ANDSF ~]#
Thanks a lot Bill for your quick help.
Now next step in my POC is to integrate it with sssd. I will get back to you in case if I face any issues in it.
Regards,
Kedar.
From:
William MacAllister <whm@dropbox.com>
Date: Friday, May 26, 2017 at 12:39 PM
To: "Kedar Sirshikar (ksirshik)" <ksirshik@cisco.com>
Cc: "nss-pam-ldapd-users@lists.arthurdejong.org" <nss-pam-ldapd-users@lists.arthurdejong.org>
Subject: Re: Need help in integration of pam and ldap using nss-pam-ldapd
I am guessing you are experimenting with the user 'ldap_pam_uid+uidNumber=22222222'. Very strange username. The dump you sent for that usee does not show all of the attributes so it is hard to tell you much. about it, but I would be surprised
if you really intend that to be the UID.
dn: uid=ldap_pam_uid+uidNumber=22222222,ou=system
objectClass: posixAccount
One way to get to see if you have your nslcd configuration working is with the genent command. For example:
On Wed, May 24, 2017 at 11:29 AM, Kedar Sirshikar (ksirshik) <ksirshik [at] cisco.com> wrote:
Hi,
Sorry for the inconvenience caused.
I updated nslcd.conf to point ‘base’ to ‘ou=system’ and restarted nslcd using ‘nslcd –d’
Please refer below updated user with posixAccount and posixGroup but still PAM is not reaching LDAP. Can you please advise if
I am missing anything?
[root@AIO-ANDSF ~]# ldapsearch -H ldap://10.24.19.141:10389 -x -D "uid=ldap_pam_uid+uidNumber=22222222,ou=system"
-W -b "ou=system" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=system> with scope oneLevel
# filter: (objectClass=*)
# requesting: hasSubordinates objectClass
#
# pam_ldap, system
dn: uid=pam_ldap,ou=system
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
# ldap_pam_uid + 22222222, system
dn: uid=ldap_pam_uid+uidNumber=22222222,ou=system
objectClass: posixAccount
objectClass: top
objectClass: posixGroup
# configuration, system
dn: ou=configuration,ou=system
objectClass: top
objectClass: organizationalUnit
# consumers, system
dn: ou=consumers,ou=system
objectclass: top
objectclass: organizationalUnit
# sysPrefRoot, system
dn: prefNodeName=sysPrefRoot,ou=system
objectClass: top
objectClass: organizationalUnit
objectClass: extensibleObject
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
[root@AIO-ANDSF ~]#
Also, it will be a great help if you point out how to debug logs for PAM.
PAM is expected to communicate to ldap after firing commands like ‘pwauth’ and ‘getent passwd’ but PAM is still referring ‘pam_unix.so’
for ‘auth’ module.
Regards,
Kedar.
From:
William MacAllister <whm [at] dropbox.com>
Date: Wednesday, May 24, 2017 at 12:58 PM
To: "Kedar Sirshikar (ksirshik)" <ksirshik [at] cisco.com>
Cc: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: Need help in integration of pam and ldap using nss-pam-ldapd
Don't send me screen shots. How do you know I am not using a screen reader? How do you know that no one on the list is using a screen reader? It is poor netiquette to send any
binaries to a distribution list.
The screen shot does not show a valid posixAccount. Where do you expect a UIDnumber to come from if the user's entry doesn't have it? You need to create entries that have the posixAccount
object class.
I don't do random WebExs.
On Wed, May 24, 2017 at 9:47 AM, Kedar Sirshikar (ksirshik) <ksirshik [at] cisco.com> wrote:
Hi,
Please refer attached screen shot for LDAP.
I will also update my nslcd.conf and test once more.
In case if you have some time, we can do a quick WebEx meeting so that I can share my screen and we can check this issue together.
Regards,
Kedar.
From:
William MacAllister <whm [at] dropbox.com>
Date: Wednesday, May 24, 2017 at 12:40 PM
To: "Kedar Sirshikar (ksirshik)" <ksirshik [at] cisco.com>
Cc: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: Need help in integration of pam and ldap using nss-pam-ldapd
Well, the ldapsearch you included shows a base dn of ou=system and your nslcd.conf has a base of dc=example,dc=com. You need to fix that first.
I don't see a user entry in your ldap. Do you have any in the directory? I would expect to see entries something like:
$ ldapsearch uid=someuser @posixAccount @inetorgperson @person
dn: uid=someuser,cn=people,dc=somewhere,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
homeDirectory: /home/someuser
mail:
someuser [at] somewhere.com
On Wed, May 24, 2017 at 9:02 AM, Kedar Sirshikar (ksirshik) <ksirshik [at] cisco.com> wrote:
I had tested by turning off NSCD.
ldapsearch is working and sample output is as below
[root@AIO-ANDSF ~]# ldapsearch -H ldap://10.24.19.141:10389 -x -D "uid=pam_ldap,ou=system" -W -b "ou=system" -s one -a always
-z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=system> with scope oneLevel
# filter: (objectClass=*)
# requesting: hasSubordinates objectClass
#
# pam_ldap, system
dn: uid=pam_ldap,ou=system
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
# configuration, system
dn: ou=configuration,ou=system
objectClass: top
objectClass: organizationalUnit
# consumers, system
dn: ou=consumers,ou=system
objectclass: top
objectclass: organizationalUnit
# sysPrefRoot, system
dn: prefNodeName=sysPrefRoot,ou=system
objectClass: top
objectClass: organizationalUnit
objectClass: extensibleObject
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
[root@AIO-ANDSF ~]#
Please find attached files.
Regards,
Kedar.
From:
William MacAllister <whm [at] dropbox.com>
Date: Wednesday, May 24, 2017 at 11:43 AM
To: "Kedar Sirshikar (ksirshik)" <ksirshik [at] cisco.com>
Cc: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: Need help in integration of pam and ldap using nss-pam-ldapd
First, just simple ldapsearches are working, right?
Frequently nscd is also install for you by your package management system when nss-pam-ldapd is installed. While you are testing it is best to turn it off because a stale cache
can cause an assortment of problems. Turn of nscd if it is installed and try again.
If that doesn't work post your nslcd.conf and the ldif for a user, i.e. the output from 'ldapsearch uid=someuser'.
On Tue, May 23, 2017 at 4:44 PM, Kedar Sirshikar (ksirshik) <ksirshik [at] cisco.com> wrote:
Hi team,
I am trying to do a POC to integrate PAM with LDAP. After exploring on google, I came to know that I can use ‘nss-pam-ldapd’ package.
For LDAP server, I am using ApacheDS plug-in from Eclipse.
For client, I installed ‘nss-pam-ldapd’ on CentOS 6.8. I followed ‘https://arthurdejong.org/nss-pam-ldapd/setup’
wiki to update PAM and NSLCD configurations.
I can see that ldapsearch is working fine but I am not able to connect to LDAP through PAM and NSLCD.
I am testing based on below two approaches:
1.
I am using ‘pwauth’ which is expected to authenticate user based on PAM-LDAP integration.
2.
I tried ‘getent passwd’ command but I do not get any user from LDAP
I do not even see any logs getting generated. May I know how to activate logs for PAM, NSS, NSLCD?
I am very novice to all these concepts so please help me in understanding/fixing above issue.
Also, kindly let me know if you need more details from my side.
Thank you!
Regards,
Kedar.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
--
--
--
--
