Hey guys!
Unfortunately I have a new wrinkle. While I certainly got to make my
sudoers work through LDAP (thanks to those who helped) unfortunately
PAM is unhappy at the moment.
So, while sudo is working in ldap, for any of the services that need
to authenticate through pam (i.e. ssh and su) it is still a no-go. I
am getting pam authentication errors in my log files.
But LDAP is certainly doing it's job!
Using the account I have setup in LDAP as the pam user I can search my base DN:
[bluethundr@bluethundr-desktop:~ ] $:ldapsearch -x -h ldap -D
"cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" -w secret -b
"dc=summitnjhome,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=summitnjhome,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# summitnjhome.com
dn: dc=summitnjhome,dc=com
dc: summitnjhome
objectClass: dcObject
objectClass: organization
o: Summit NJ Home
# staff, summitnjhome.com
dn: ou=staff,dc=summitnjhome,dc=com
ou: staff
objectClass: organizationalUnit
# summitnjops, staff, summitnjhome.com
dn: ou=summitnjops,ou=staff,dc=summitnjhome,dc=com
ou: summitnjops
objectClass: organizationalUnit
# people, summitnjhome.com
dn: ou=people,dc=summitnjhome,dc=com
objectClass: organizationalUnit
ou: people
# Services, summitnjhome.com
dn: ou=Services,dc=summitnjhome,dc=com
ou: services
objectClass: organizationalUnit
# pam_ldap, Services, summitnjhome.com
dn: cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword:: e1NTSEF9K2NsWktBUXVDWEhkbjVBcVRDbFVMb0ROZVcvelltelIg
# sudoers, Services, summitnjhome.com
dn: ou=sudoers,ou=Services,dc=summitnjhome,dc=com
ou: sudoers
objectClass: organizationalUnit
# defaults, sudoers, Services, summitnjhome.com
dn: cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
# root, sudoers, Services, summitnjhome.com
dn: cn=root,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
# %wheel, sudoers, Services, summitnjhome.com
dn: cn=%wheel,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
# %summitnjops, sudoers, Services, summitnjhome.com
dn: cn=%summitnjops,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: %summitnjops
sudoUser: %summitnjops
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
# search result
search: 2
result: 0 Success
# numResponses: 12
# numEntries: 11
And this is the entry I have in my LDAP database for the pam_ldap user:
5 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword: secret
So far so good, everything works.
However, this is how I have my ldap.conf file setup:
host ldap.summitnjhome.com
base dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
( I have also tried setting the host to 127.0.0.1 as well, with no joy)
And observe what happens if I try to su using pam/ldap
Oct 9 20:25:11 LCENT01 su: pam_ldap: error trying to bind (Invalid credentials)
Oct 9 20:25:11 LCENT01 su: pam_ldap: error trying to bind (Invalid credentials)
Oct 9 20:25:11 LCENT01 su: in _openpam_check_error_code():
pam_sm_acct_mgmt(): unexpected return value 11
Oct 9 20:25:11 LCENT01 su: bluethundr to root on /dev/pts/0
ssh has roughly the same effect on the logs but in order for me to
demonstrate that I would likely have to gain physical access to the
box to fix it. So hopefully the above example will suffice.
This is how my pam su file is configured:
LCENT01# cat /etc/pam.d/su
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient pam_ldap.so
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account sufficient pam_ldap.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_ldap.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
I assume that whatever is breaking su is breaking ssh. Does anyone
have any ideas as to why slapd cannot access the pam_ldap account user
automatically through /usr/local/etc/ldap.conf? x(
On Fri, Oct 8, 2010 at 11:01 PM, Scott Robbins <scottro@xxxxxxxxxx> wrote:
> On Fri, Oct 08, 2010 at 10:52:54PM -0400, Tim Dunphy wrote:
>> I just recopied openLDAP.schema as sudoers.schema and added it to slapd.conf
>>
>>
>> [bluethundr@bluethundr-desktop:~/txt/ldif ] $:ldapadd -h ldap -a -W -x
>> -D "cn=Manager,dc=summitnjhome,dc=com" -f
>> /home/bluethundr/txt/sudoers2.ldif
>> adding new entry "cn=%summitnjops,ou=sudoers,ou=Services,dc=summitnjhome,dc=com"
>
> <snip>
>>
>> MAJOR WIN and THANKS to scott !!!
>
> Glad you got it sorted and you're more than welcome.
>
>
> --
> Scott Robbins
> PGP keyID EB3467D6
> ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
> gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
>
> Buffy: Oh, look at my poor neck... all bare and tender and
> exposed. All that blood, just pumping away.
> Giles: Oh, please.
> Spike: Giles, make her stop!
> Giles: If those two don't kill each other, I might lend a hand.
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
Share and enjoy!!
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
