Anyone to help?
On Tue, Mar 22, 2016, 14:06 Diogo Kiss <diogokiss@xxxxxxxxx> wrote:
--Hi,I having trouble to configure Postgres to use PAM authentication + LDAP.I managed to configure successfully pam_ldap.so module to* Authorize (account) SSH users from specific groups* Authenticate (auth) and authorize (account) users via suBut, when I tried to use it to authenticate PostgreSQL against my LDAP server, I get a message saying nothing else than:$ psql -h localhost -U dki -d payment
Password for user dki:
psql: FATAL: PAM authentication failed for user "dki"
FATAL: PAM authentication failed for user "dki"Logs from /var/log/* and /var/log/postgres/* are the following2016-03-22T11:02:34.155848+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49030) : pam_ldap: ldap_simple_bind Can't contact LDAP server
2016-03-22T11:02:34.156137+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49030) : pam_ldap: reconnecting to LDAP server...
2016-03-22T11:02:34.198306+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49030) : pam_ldap: ldap_simple_bind Can't contact LDAP server
[2016-03-22 11:02:34.198 UTC] 127.0.0.1 56f1264a.3357 payment LOG: could not receive data from client: Connection reset by peer
[2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment LOG: pam_authenticate failed: Authentication failure
[2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment FATAL: PAM authentication failed for user "dki"
[2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment DETAIL: Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam "
2016-03-22T11:02:37.160995+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
2016-03-22T11:02:37.161091+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49033) : pam_ldap: reconnecting to LDAP server...
2016-03-22T11:02:37.194711+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
2016-03-22T11:02:37.194952+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
2016-03-22T11:02:37.195122+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49033) : pam_ldap: reconnecting to LDAP server...
2016-03-22T11:02:37.228302+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
[2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment LOG: pam_authenticate failed: Authentication failure
[2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment FATAL: PAM authentication failed for user "dki"
[2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment DETAIL: Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam "
2016-03-22T11:02:37.266582+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server
2016-03-22T11:02:37.266682+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49037) : pam_ldap: reconnecting to LDAP server...
2016-03-22T11:02:37.299936+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server
2016-03-22T11:02:37.300098+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server
2016-03-22T11:02:37.300189+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49037) : pam_ldap: reconnecting to LDAP server...
[2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment LOG: pam_authenticate failed: Authentication failure
[2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment FATAL: PAM authentication failed for user "dki"
[2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment DETAIL: Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam "
2016-03-22T11:02:37.334239+00:00 base-i-vagranto.vagrant.test.ts.sv 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP serverWithout the reason that pam_ldap can't contact the LDAP server, I can't fix it. =(My configuration files are as follows:/etc/nsswitch.conf:passwd: files ldapgroup: files ldapshadow: files ldaphosts: files myhostname dnsnetworks: filesprotocols: db filesservices: db filesethers: db filesrpc: db filesnetgroup: nis/etc/nslcd.conf:uid nslcdgid nslcduri ldaps://myserver.com:636base dc=mycompany,dc=comssl ontls_reqcert demandtls_cacertfile /etc/mycompany/tls/mycompany_ca.certtls_cert /etc/mycompany/tls/client.certtls_key /etc/mycompany/tls/client.keyfilter shadow (objectClass=posixAccount)bind_timelimit 2timelimit 2reconnect_sleeptime 1reconnect_retrytime 1/etc/ldap.conf:base dc=mycompany,dc=comuri ldaps://myserver.com:636ldap_version 3port 636timelimit 2 # in secondsbind_timelimit 2 # in secondsnss_base_passwd ou=People,dc=mycompany,dc=comnss_base_shadow ou=People,dc= mycompany,dc=comnss_base_group ou=Group,dc=mycompany,dc=comssl ontls_checkpeer yestls_cacert /etc/mycompany/tls/mycompany_ca.certtls_cert /etc/mycompany/tls/client.certtls_key /etc/mycompany/tls/client.keynss_reconnect_tries 1nss_reconnect_sleeptime 1 # in secondsnss_reconnect_maxsleeptime 1 # in secondsnss_reconnect_maxconntries 1nss_initgroups_ignoreusers backup,bin,bind,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,proxy,root,sshd,sync,sys,syslog,uucp,www-data,zabbix/etc/pam.d/postgresql:auth sufficient pam_ldap.so try_first_pass ignore_authinfo_unavailauth requisite pam_deny.so$ ls -lh /etc/ldap/ldap.conflrwxrwxrwx 1 root root 14 Mar 22 10:31 /etc/ldap/ldap.conf -> /etc/ldap.confCan anyone help me out or point out how to increase debug information?According to: http://linux.die.net/man/5/pam_ldap
- debug
- This option is recognized by pam_ldap but is presently ignored.
E-mail : diogokiss@xxxxxxxxx
Tel.: +45 2834 1111
GTalk: diogokiss@xxxxxxxxx
MSN: diogokiss@xxxxxxxxx
Y!: diogokiss
