Re: [389-users] PAM PTA partially working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Prashanth Sundaram wrote:
Hello,

PS: I am sorry to paste such big error log.

I spend some time tweaking around the PAM PTA plug-in, so i can authenticate users against Active Directory. I configured the PAM PTA plug-in, krb5.conf, /etc/pam.d/ldapserver for kerberos authentication against AD.

So to begin with I had only one user in 389-ds which is same as the local account name(uid=psundaram) on the DS. With all the configuration set, I was able to get the ldapsearch working for this user. Even when I change the password on the AD side, I can use the new password to show ldif results.

[root@centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=psundaram,ou=People,dc=fedorads,dc=net" -W -x

[root@centos-lin ~]# less/var/log/dirsrv/slapd-centos-lin/errors/
[21/Sep/2009:18:08:30 -0400] NSACLPlugin - #### conn=2 op=1 binddn=""
[21/Sep/2009:18:08:30 -0400] NSACLPlugin - conn=2 op=1 (main): Deny search on entry(cn=change-sie-password,cn=commands,cn=admin-s
erv-centos-lin,cn=389 administration server,cn=server group,cn=centos-lin.fedorads.net,ou=fedorads.net,o=netscaperoot).attr(nsExe
cRef) to anonymous: no aci matched the subject by aci(16): aciname= "SIE Group (centos-lin)", acidn="o=netscaperoot"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(dc=fedorads,dc=net).attr(objectClass) to uid
=psundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p
sundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p
sundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2)
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(dc) to uid=psundaram,
ou=people,dc=fedorads,dc=net: cached allow by aci(2)
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(cn=directory administrators,dc=fedorads,dc=n
et).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(cn=directory administrators,dc=fedorads,dc
=net).attr(NULL) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on attr): Allow read on entry(cn=directory administrators,dc=fedorads,dc=
net).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(cn=directory administrators,dc=fedorads,dc=net
).attr(cn) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2)
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net"
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(ou=groups,dc=fedorads,dc=net).attr(objectCla
ss) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(NULL) t
o uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow
[21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(objectClass
) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2)



But when I created another account, uid=tjordan which exists in AD as well (but does not have a local acount like above user) the authentication fails.

[root@centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=tjordan,ou=People,dc=fedorads,dc=net" -W -x
Enter LDAP Password:
ldap_bind: Operations error (1)
        additional info: Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjordan,ou=people,dc=fedorads,dc=net]


less /var/log/dirsrv/slapd-centos-lin/errors
[21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Error from PAM during pam_authenticate (6: Permission denied)
[21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjor
dan,ou=people,dc=fedorads,dc=net]


>From what I see, there is something related to anonymous bind, but I am not sure what that is. Can someone help me understand what the problem is and how can I fix, If you know?
Does it work if you create a local user account for uid=tjordan?

Here is my PAM PTA
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamExcludeSuffix: o=NetscapeRoot
pamIDMapMethod: RDN
pamIDAttr: notUsedWithRDNMethod
pamFallback: FALSE
pamSecure: FALSE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.2.2
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: PAM pass through authentication plugin
modifiersName: cn=directory manager
modifyTimestamp: 20090921225438Z



Thanks,
Prashanth

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

<<attachment: smime.p7s>>

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux