My goal is to get rid of /etc/passwd file and autenticate my users via LDAP database,
So, here is what I've done,
System opensuse 10.1
commmon-auth
auth required pam_env.so
auth required pam_unix2.so
auth sufficient pam_ldap.so
common-account
account required pam_unix2.so
account sufficient pam_ldap.so
login
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_mail.so
account include common-account
password include common-password
session include common-session
session required pam_resmgr.so
common-session
session required pam_limits.so
session required pam_unix2.so
session sufficient pam_ldap.so
ssh
#%PAM-1.0
auth include common-auth
auth required pam_nologin.so
account include common-account
password include common-password
session include common-session
The user netwarrior is not part of the passwd unix system, cuz I wanna get rid of it, I wanna all my users reside in the LDAP dtabase.
netwarrior was added like this : smbldap-useradd netwarrior
Then:
linux:/usr/local/sbin # ./smbldap-usershow netwarrior
dn: uid=netwarrior,ou=Users,dc=netwarrior,dc=com
objectClass: top,inetOrgPerson,posixAccount,shadowAccount
cn: netwarrior
sn: netwarrior
uid: netwarrior
uidNumber: 1005
gidNumber: 513
homeDirectory: /home/netwarrior
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {SSHA}wcM+uu6ExMHrxWOebO2wVQ/rwMpmWDNI
linux:/usr/local/sbin #
linux:/usr/local/sbin # ./smbldap-passwd netwarrior and gave it a password
When trying , for example ssh netwarrior@suse from a remote machine using ssh I get:
NOTE This remote machine does not authenticate to the LDAP server or whatever, PDC and so on, just try to make an ssh connection using a known user.
tail -f /var/log/messages
Oct 9 22:05:32 linux sshd[7005]: Invalid user netwarrior from 172.16.4.100
Oct 9 22:06:16 linux slapd[6910]: conn=10 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=netwarrior)"
Oct 9 22:06:16 linux slapd[6910]: send_ldap_result: conn=10 op=2 p=3
Oct 9 22:06:16 linux slapd[6910]: send_ldap_result: err=10 matched="" text=""
Oct 9 22:06:16 linux slapd[6910]: send_ldap_response: msgid=3 tag=101 err=32
Oct 9 22:06:16 linux sshd[7010]: pam_ldap: ldap_search_s No such object
Oct 9 22:06:16 linux sshd[7008]: error: PAM: User not known to the underlying authentication module for illegal user netwarrior from freebsd
Oct 9 22:06:16 linux slapd[6910]: conn=10 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
Oct 9 22:06:16 linux slapd[6910]: daemon: activity on 1 descriptors
Oct 9 22:06:16 linux slapd[6910]: daemon: activity on:
Oct 9 22:06:16 linux slapd[6910]: 12r
Oct 9 22:06:16 linux slapd[6910]:
Oct 9 22:06:16 linux slapd[6910]: daemon: read activity on 12
Oct 9 22:06:16 linux slapd[6910]: connection_get(12)
Oct 9 22:06:16 linux slapd[6910]: connection_get(12): got connid=10
Oct 9 22:06:16 linux slapd[6910]: connection_read(12): checking for input on id=10
Oct 9 22:06:16 linux slapd[6910]: ber_get_next on fd 12 failed errno=0 (Success)
Oct 9 22:06:16 linux slapd[6910]: connection_read(12): input error=-2 id=10, closing.
Oct 9 22:06:16 linux sshd[7008]: Failed keyboard-interactive/pam for invalid user netwarrior from 172.16.4.100 port 57885 ssh2
example??? -> the base dn is netwarrior, where did it take "dc=example,dc=com", what I am missing
ldap.conf in the server machine is like this
#BASE dc=netwarrior,dc=com
#URI ldap://127.0.0.1
#HOST 127.0.0.1
#TLS_CACERT /etc/ssl/server.crt
#TLS_REQCERT demand
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow
#nss_base_passwd ou=Users,dc=netwarrior,dc=com?one
#nss_base_shadow ou=Users,dc=netwarrior,dc=com?one
#nss_base_group ou=Groups,dc=netwarrior,dc=com?one
BASE, URI, HOST and nss* uncommented make no difference.
slapd.conf reads like this:
TLSCipherSuite HIGH:MEDIUM:+SSLv3
#TLSCACertificateFile /etc/ssl/server.csr
TLSCertificateFile /etc/ssl/server.crt
TLSCertificateKeyFile /etc/ssl/server.key
TLSVerifyClient try
In sshd_conf I've got.
UsePAM yes
Thanks in advance, sorry for the noise.
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
