What is the output of "id testdba" and "getent passwd testdba"?
To use ldap auth for SSH Server, you must set these lines in /etc/ssh/sshd_config:
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
Note: in older version (pre-3.6.1) of OpenSSH Server, instead of ?UsePAM yes?, the parameter is:
PAMAuthenticationViaKbdInt yes
"-d" is the debug option of OpenSSH Server in INTERACTIVE MODE ONLY, SUN SSH server which is a version of OpenSSH may not have this option, please find out the correct debugging option that you may use.
-d Debug mode. The server sends verbose debug output to
the system log, and does not put itself in the back-
ground. The server also will not fork and will only
process one connection. This option is only intended
for debugging for the server. Multiple -d options
increase the debugging level. Maximum is 3.
You must also first stop and kill sshd, then restart using "-d", eg:
# /usr/local/sbin/sshd -d
Did you add "debug" keywords to lines of /etc/pam.conf? after that /var/adm/messages should
show more messages.
Something like:
...
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth sufficient pam_unix_auth.so.1 debug
login auth required pam_ldap.so.1 try_first_pass debug
login auth required pam_dial_auth.so.1 debug
#ssh
sshd auth sufficient /usr/lib/security/pam_ldap.so.1 debug
sshd auth required /usr/lib/security/pam_unix.so.1 use_first_pass debug
...
To troubleshoot "Object not found (LDAP ERROR (50): Insufficient access.)", you may look into the log files.
(From Fedora Directory Server mail list archive)
===
Look in the access log on the FDS server for connections from that workstation (grep on the IP of that workstations, or one of the user id's that are trying to auth, etc). When you find it, grep out conn=xxx (where xxx is the connection # from that IP) so you get the complete connection from start to finish.
- Look at the BIND lines to see what that workstation is binding as.
- Look at the SRCH lines, to see what basedn and filter is being used.
- Look at the result line (right after the SRCH line) to see what the results are (though you'll probably just see err=32, which is no such object). If there are multiple SRCH lines, check each one.
- Check the ACI's set on your suffix - in console, click on the
Directory tab then right click on the top entry in your tree, and select "set permissions" (something like that - doing this from memory). Make sure the appropriate access is set.
You may have to look throughout your tree for aci's to be sure you find everything.
(ldapsearch -D cn=directory manager -w - ... -b "your basedn" "(aci=*)" "aci" to find 'em all.)
===
Gary
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com on behalf of Igor
Sent: Tue 8/30/2005 9:37 PM
To: General discussion list for the Fedora Directory server project.
Cc:
Subject: RE: Problem with solaris & FDS authentication
Gary,
I did like you said. There was nothing in msgs file. From the remote host I got this:
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
testdba at 149.85.86.87's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
sshd -d produced nothing either. So, I'm confused now.
Also, ldaplist by itself gives this:
bash-2.03# ldaplist
ldaplist: Object not found (LDAP ERROR (50): Insufficient access.)
Is that normal?
And when I snoop -v ldap | grep LDAP I don't see the {crypt} password anywhere.....?
--- "Tay, Gary" <Gary_Tay at platts.com> wrote:
> To troublshoot PAM issue, you may add "debug" keyword at the end of
> every or selected lines of /etc/pam.conf, and /var/adm/messages should
> show more messages.
>
> To troubleshoot SSH Server, you may start sshd with "-d" (debfufg)
> option (Interactive Mode Only), or use "ssh -v testdba at localhost" at the
> SSH Client (-v means verbose mode).
>
> You may use the sample pam.conf from
> http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view, do comment
> out all the "pam_unix_cred.so.1" lines as they are meant for Solaris10.
>
> Gary
>
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com
> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Igor
> Sent: Tuesday, August 30, 2005 4:30 AM
> To: General discussion list for the Fedora Directory server project.
> Subject: Problem with solaris & FDS
> authentication
>
>
> Hi, guys. I finally got the solaris box to talk to the FDS (thank you
> all for your
> help).
>
> I'm now having a problem where I can't telnet/ssh from another machine.
>
> On the client, I have this:
>
> bash-2.03# ldaplist -l passwd testdba
> dn: uid=testdba,ou=People, dc=composers,dc=foo,dc=com
> givenName: oracle
> sn: user
> loginShell: /bin/bash
> uidNumber: 10001
> gidNumber: 7000
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> objectClass: shadowaccount
> uid: testdba
> cn: oracle user
> homeDirectory: /home/testdba
> bash-2.03#
>
> The ACIs (in addition to the default ones):
>
>
> Bind Password:
> dc=composers,dc=foo,dc=com
>
> aci=(targetattr =
> "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM
> in||shadowMax||shadowWarning|
> |shadowInactive||shadowExpire||shadowFlag||memberUid"
> )(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write)
> userdn = "ldap:
> ///self";)
> aci=(target="ldap:///dc=composers,dc=foo,dc=com";)(targetattr="userPasswo
> rd")(version 3.0;
> acl LDAP_Naming_Services_proxy_password_read; allow (compare,search)
> userdn = "
> ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com";;)
>
>
>
> There's nothing in the /var/adm/messages. My pam.conf [snipped] is
> this:
>
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth sufficient pam_unix_auth.so.1
> login auth required pam_ldap.so.1 try_first_pass
> login auth required pam_dial_auth.so.1
>
> #ssh
>
> sshd auth sufficient /usr/lib/security/pam_ldap.so.1
> sshd auth required /usr/lib/security/pam_unix.so.1 use_first_pass
>
> ---
>
> The userPassword field is not displayed when I do ldaplist. Is that
> normal? Even when I
> do this:
>
> /usr/bin/ldapsearch -D
> "cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com" -h
> cnyitlin02 -b dc=composers,dc=foo,dc=com objectclass=\*
>
> uid=testdba,ou=People, dc=composers,dc=foo,dc=com
> givenName=oracle
> sn=user
> loginShell=/bin/bash
> uidNumber=10001
> gidNumber=7000
> objectClass=top
> objectClass=person
> objectClass=organizationalPerson
> objectClass=inetorgperson
> objectClass=posixAccount
> objectClass=shadowaccount
> uid=testdba
> cn=oracle user
> homeDirectory=/home/testdba
>
> How can I go about troubleshooting this?
>
>
>
> ____________________________________________________
> Start your day with Yahoo! - make it your home page
> http://www.yahoo.com/r/hs
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 15126 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20050831/97c4bfac/attachment.bin
