(The right place to ask this is the pam_ldap mailing list. Visit www.padl.com for more details). For your problem, first check /etc/nsswitch.conf and make sure ldap is listed in passwd, group. Next, make sure your ldap server is up and listen to a public interface other than 127.0.0.1 (use nmap, netstat, etc to verify) and you can talk to it on your server and from your client (ldapsearch). Then, in your client machine modify /etc/ldap.conf, you need following entries (yours are commented out) 1. base ou=Users,dc=netwarrior,dc=com 2. uri ldap://suse.netwarrior.com 3. port 636 4. binddn the_account_to_do_bind 5. bindpw the_password 6. nss_base_passwd ou=Users,dc=netwarrior,dc=com?sub 7. nss_base_group ou=Users,dc=netwarrior,dc=com?sub 8. ssl no (take TLS out of equation first, you can added it later after you make the non-ssl one work) Save it and try run command: getent passwd netwarrior If you see returns, it means your nss is working. Then you need to twinkle /etc/pam.d/sshd to make pam working. Since netwarrior is an account in ldap, pam_unix will return fail, if you make it as "required", then the whole pam stack will end with failure. In you auth and account part, you put "required", it would cause trouble. You may also want to add "use_first_pass" to the next pam auth module so it won't keep asking user to type in password. Hope this helps. Yu Wang System Administrator Department of Computer Science Florida State University Go Noles! ===;;>> -----Original Message----- From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Net Warrior Sent: Wednesday, October 11, 2006 9:49 AM To: PAM Mailing List Subject: LDAP + PAM Hi there guys, I'm asking here cuz in openldap mailing list I was banned cuz they say that PAM is off-topic and not LDAP related. My goal is to get rid of /etc/passwd file and autenticate my users via LDAP database, So, here is what I've done, System opensuse 10.1 commmon-auth auth required pam_env.so auth required pam_unix2.so auth sufficient pam_ldap.so common-account account required pam_unix2.so account sufficient pam_ldap.so login auth required pam_securetty.so auth include common-auth auth required pam_nologin.so auth sufficient pam_ldap.so auth required pam_mail.so account include common-account password include common-password session include common-session session required pam_resmgr.so common-session session required pam_limits.so session required pam_unix2.so session sufficient pam_ldap.so ssh #%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session The user netwarrior is not part of the passwd unix system, cuz I wanna get rid of it, I wanna all my users reside in the LDAP dtabase. netwarrior was added like this : smbldap-useradd netwarrior Then: linux:/usr/local/sbin # ./smbldap-usershow netwarrior dn: uid=netwarrior,ou=Users,dc=netwarrior,dc=com objectClass: top,inetOrgPerson,posixAccount,shadowAccount cn: netwarrior sn: netwarrior uid: netwarrior uidNumber: 1005 gidNumber: 513 homeDirectory: /home/netwarrior loginShell: /bin/bash gecos: System User description: System User userPassword: {SSHA}wcM+uu6ExMHrxWOebO2wVQ/rwMpmWDNI linux:/usr/local/sbin # linux:/usr/local/sbin # ./smbldap-passwd netwarrior and gave it a password When trying , for example ssh netwarrior@suse from a remote machine using ssh I get: NOTE This remote machine does not authenticate to the LDAP server or whatever, PDC and so on, just try to make an ssh connection using a known user. tail -f /var/log/messages Oct 9 22:05:32 linux sshd[7005]: Invalid user netwarrior from 172.16.4.100 Oct 9 22:06:16 linux slapd[6910]: conn=10 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=netwarrior)" Oct 9 22:06:16 linux slapd[6910]: send_ldap_result: conn=10 op=2 p=3 Oct 9 22:06:16 linux slapd[6910]: send_ldap_result: err=10 matched="" text="" Oct 9 22:06:16 linux slapd[6910]: send_ldap_response: msgid=3 tag=101 err=32 Oct 9 22:06:16 linux sshd[7010]: pam_ldap: ldap_search_s No such object Oct 9 22:06:16 linux sshd[7008]: error: PAM: User not known to the underlying authentication module for illegal user netwarrior from freebsd Oct 9 22:06:16 linux slapd[6910]: conn=10 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text= Oct 9 22:06:16 linux slapd[6910]: daemon: activity on 1 descriptors Oct 9 22:06:16 linux slapd[6910]: daemon: activity on: Oct 9 22:06:16 linux slapd[6910]: 12r Oct 9 22:06:16 linux slapd[6910]: Oct 9 22:06:16 linux slapd[6910]: daemon: read activity on 12 Oct 9 22:06:16 linux slapd[6910]: connection_get(12) Oct 9 22:06:16 linux slapd[6910]: connection_get(12): got connid=10 Oct 9 22:06:16 linux slapd[6910]: connection_read(12): checking for input on id=10 Oct 9 22:06:16 linux slapd[6910]: ber_get_next on fd 12 failed errno=0 (Success) Oct 9 22:06:16 linux slapd[6910]: connection_read(12): input error=-2 id=10, closing. Oct 9 22:06:16 linux sshd[7008]: Failed keyboard-interactive/pam for invalid user netwarrior from 172.16.4.100 port 57885 ssh2 example??? -> the base dn is netwarrior, where did it take "dc=example,dc=com", what I am missing ldap.conf in the server machine is like this #BASE dc=netwarrior,dc=com #URI ldap://127.0.0.1 #HOST 127.0.0.1 #TLS_CACERT /etc/ssl/server.crt #TLS_REQCERT demand #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_REQCERT allow #nss_base_passwd ou=Users,dc=netwarrior,dc=com?one #nss_base_shadow ou=Users,dc=netwarrior,dc=com?one #nss_base_group ou=Groups,dc=netwarrior,dc=com?one BASE, URI, HOST and nss* uncommented make no difference. slapd.conf reads like this: TLSCipherSuite HIGH:MEDIUM:+SSLv3 #TLSCACertificateFile /etc/ssl/server.csr TLSCertificateFile /etc/ssl/server.crt TLSCertificateKeyFile /etc/ssl/server.key TLSVerifyClient try In sshd_conf I've got. UsePAM yes Thanks in advance, sorry for the noise. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
