[opensuse] ldap authentication to Novell eDirectory
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation. First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials) I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct. Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know. In /etc/ldap.conf I've set: host 192.168.100.21 base o=root bind_policy soft pam_lookup_policy yes pam_password nds nss_initgroups_ignoreusers root,ldap nss_schema rfc2307bis I also tried pam_password clear. Anyone have any suggestions? Maybe I'm just overlooking something very basic. The complete output from the log is: Aug 31 13:48:32 sles11 sshd[19756]: Invalid user myid from 192.168.100.24 Aug 31 13:48:39 sles11 sshd[19761]: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials) Aug 31 13:48:39 sles11 sshd[19761]: pam_unix(sshd:auth): check pass; user unknown Aug 31 13:48:39 sles11 sshd[19761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.100.24 Aug 31 13:48:41 sles11 sshd[19756]: error: PAM: User not known to the underlying authentication module for illegal user myid from 192.168.100.24 Aug 31 13:48:41 sles11 sshd[19756]: Failed keyboard-interactive/pam for invalid user myid from 192.168.100.24 port 38256 ssh2 Aug 31 13:50:32 sles11 sshd[19762]: error: ssh_msg_send: write Aug 31 13:50:32 sles11 sshd[19762]: pam_unix(sshd:auth): conversation failed Aug 31 13:50:32 sles11 sshd[19762]: pam_unix(sshd:auth): auth could not identify password for [myid] Aug 31 13:50:32 sles11 sshd[19762]: error: ssh_msg_send: write Thanks, James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 2010-08-31 at 15:18 -0400, James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation. First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
Is this an DN you've specified anywhere?
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct. Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know.
PAM doesn't typically bind as "the user" but looks up information using some generic credentials. Is NSS working? Specified in /etc/ldap.conf (for example): --------------------------------------------------- binddn uid=nss,ou=System,ou=Entities,ou=SAM,o=Morrison Industries,c=US bindpw *************
In /etc/ldap.conf I've set: host 192.168.100.21 base o=root
"o=root" Really?
bind_policy soft pam_lookup_policy yes pam_password nds nss_initgroups_ignoreusers root,ldap nss_schema rfc2307bis
I also tried pam_password clear.
That only has to do with *changing* the passwords. PAM doesn't need to know what crypt's the DSA does/doesn't use in order to authenticate. I assume you'd use "nds" here.
Anyone have any suggestions? Maybe I'm just overlooking something very basic. The complete output from the log is: Aug 31 13:48:32 sles11 sshd[19756]: Invalid user myid from 192.168.100.24 Aug 31 13:48:39 sles11 sshd[19761]: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials) Aug 31 13:48:39 sles11 sshd[19761]: pam_unix(sshd:auth): check pass; user unknown Aug 31 13:48:39 sles11 sshd[19761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.100.24 Aug 31 13:48:41 sles11 sshd[19756]: error: PAM: User not known to the underlying authentication module for illegal user myid from 192.168.100.24 Aug 31 13:48:41 sles11 sshd[19756]: Failed keyboard-interactive/pam for invalid user myid from 192.168.100.24 port 38256 ssh2 Aug 31 13:50:32 sles11 sshd[19762]: error: ssh_msg_send: write Aug 31 13:50:32 sles11 sshd[19762]: pam_unix(sshd:auth): conversation failed Aug 31 13:50:32 sles11 sshd[19762]: pam_unix(sshd:auth): auth could not identify password for [myid] Aug 31 13:50:32 sles11 sshd[19762]: error: ssh_msg_send: write
-- Adam Tauno Williams <awilliam@whitemice.org> LPIC-1, Novell CLA <http://www.whitemiceconsulting.com> OpenGroupware, Cyrus IMAPd, Postfix, OpenLDAP, Samba -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 2010-08-31 at 16:04 -0400, Adam Tauno Williams wrote:
On Tue, 2010-08-31 at 15:18 -0400, James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation. First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
Is this an DN you've specified anywhere?
No, it's doing an anonymous bind. I'm authenticating as myid with ssh, but it successfully finds the correct DN for myid. It then tries a simple bind to ldap with that DN, but looks like it's hosing the password.
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct. Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know.
PAM doesn't typically bind as "the user" but looks up information using some generic credentials. Is NSS working?
It's doing an anonymous bind, which appears successful.
Specified in /etc/ldap.conf (for example): --------------------------------------------------- binddn uid=nss,ou=System,ou=Entities,ou=SAM,o=Morrison Industries,c=US bindpw *************
In /etc/ldap.conf I've set: host 192.168.100.21 base o=root
"o=root" Really?
No, private information posted has been changed, such as username, OU's and O. Thanks, James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 31 August 2010 21:18:15 James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation.
First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct.
Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know.
Have you looked at this? http://www.novell.com/communities/node/8438/troubleshooting-pamldap-against- edirectory-issues Note that I'm not really an edirectory guy, that's just what a quick search turned up. The bit about posixAccount I'm pretty sure is important, so if this is an existing pre-linux edirectory installation, maybe you've forgotten to add that Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation.
First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct.
Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know. No. pam_ldap is not touching the password sent in the LDAP Bind Request. But sshd does in some situation overwrite the password that it sends to
Hi James, On Tuesday 31 August 2010 21:18:15 James Pifer wrote: the PAM stack. IIRC it sets it to a value containing the string "INCORRECT" (plus some addtional non-printable chars). Is that what you see in your LDAP capture? If yes then something is still wrong with either your nss_ldap/pam_ldap configuration or with your sshd config. AFAIK one situation when sshd does this overwriting is when it is not able to resolve the username correctly. Does the following work on the server you are trying to log into? getent passwd <your-user-id>
In /etc/ldap.conf I've set:
host 192.168.100.21 base o=root bind_policy soft pam_lookup_policy yes pam_password nds nss_initgroups_ignoreusers root,ldap nss_schema rfc2307bis
I also tried pam_password clear.
Anyone have any suggestions? Maybe I'm just overlooking something very basic.
The complete output from the log is: Aug 31 13:48:32 sles11 sshd[19756]: Invalid user myid from 192.168.100.24 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This line indicates, that sshd could not correctly resolve the user "myid". Please check your nss_ldap setup.
Aug 31 13:48:39 sles11 sshd[19761]: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials) [..]
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2010-09-01 at 10:12 +0200, Ralf Haferkamp wrote:
Hi James,
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation.
First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct.
Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know. No. pam_ldap is not touching the password sent in the LDAP Bind Request. But sshd does in some situation overwrite the password that it sends to
On Tuesday 31 August 2010 21:18:15 James Pifer wrote: the PAM stack. IIRC it sets it to a value containing the string "INCORRECT" (plus some addtional non-printable chars). Is that what you see in your LDAP capture? If yes then something is still wrong with either your nss_ldap/pam_ldap configuration or with your sshd config. AFAIK one situation when sshd does this overwriting is when it is not able to resolve the username correctly. Does the following work on the server you are trying to log into?
getent passwd <your-user-id>
No, getent doesn't work. The user doesn't need to exist in the local passwd does it? Thanks, James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 01 September 2010 14:08:51 James Pifer wrote:
No, getent doesn't work. The user doesn't need to exist in the local passwd does it?
getent reads from directory services as well Provided, that is, that the service responds correctly. Did you try the server side debugging tricks from the link I sent? Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2010-09-01 at 14:16 +0200, Anders Johansson wrote:
On Wednesday 01 September 2010 14:08:51 James Pifer wrote:
No, getent doesn't work. The user doesn't need to exist in the local passwd does it?
getent reads from directory services as well
Provided, that is, that the service responds correctly. Did you try the server side debugging tricks from the link I sent?
Yes, I'm looking at it now. Thanks, James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 01 September 2010 14:08:51 James Pifer wrote:
On Wed, 2010-09-01 at 10:12 +0200, Ralf Haferkamp wrote:
Hi James,
On Tuesday 31 August 2010 21:18:15 James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation.
First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct.
Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know.
No. pam_ldap is not touching the password sent in the LDAP Bind Request. But sshd does in some situation overwrite the password that it sends to the PAM stack. IIRC it sets it to a value containing the string "INCORRECT" (plus some addtional non-printable chars). Is that what you see in your LDAP capture? If yes then something is still wrong with either your nss_ldap/pam_ldap configuration or with your sshd config. AFAIK one situation when sshd does this overwriting is when it is not able to resolve the username correctly. Does the following work on the server you are trying to log into?
getent passwd <your-user-id>
No, getent doesn't work. The user doesn't need to exist in the local passwd does it? Yes, it does not need to exist in /etc/passwd. But you have to setup your system so that it resolves the users from LDAP then. I.e. you have to configure nss_ldap. Setting up pam_ldap is not enough. Please check you /etc/nsswitch.conf and enable LDAP lookups there, if you haven't already.
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2010-09-01 at 14:33 +0200, Ralf Haferkamp wrote:
On Wednesday 01 September 2010 14:08:51 James Pifer wrote:
On Wed, 2010-09-01 at 10:12 +0200, Ralf Haferkamp wrote:
Hi James,
On Tuesday 31 August 2010 21:18:15 James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation.
First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct.
Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know.
No. pam_ldap is not touching the password sent in the LDAP Bind Request. But sshd does in some situation overwrite the password that it sends to the PAM stack. IIRC it sets it to a value containing the string "INCORRECT" (plus some addtional non-printable chars). Is that what you see in your LDAP capture? If yes then something is still wrong with either your nss_ldap/pam_ldap configuration or with your sshd config. AFAIK one situation when sshd does this overwriting is when it is not able to resolve the username correctly. Does the following work on the server you are trying to log into?
getent passwd <your-user-id>
No, getent doesn't work. The user doesn't need to exist in the local passwd does it? Yes, it does not need to exist in /etc/passwd. But you have to setup your system so that it resolves the users from LDAP then. I.e. you have to configure nss_ldap. Setting up pam_ldap is not enough. Please check you /etc/nsswitch.conf and enable LDAP lookups there, if you haven't already.
--
Yes, nsswitch is setup. I'm going through the link that Anders sent. I'll see where that takes me. Thanks, James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 31 Aug 2010 15:18:15 -0400, James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation.
Hi, James - A couple questions: 1. Are the POSIX schema extensions in place on the server? 2. In eDirectory, are you using the standard password, Universal Password, or some other configuration? (I note in your ldap.conf file you've got the nds password selected) The thing that makes me think that the POSIX extensions aren't there (you need both POSIXUser and POSIXGroup IIRC) is that you don't seem to be getting a mapping of the login name or uid. If the schema extensions are installed, the next step is to verify (a) that schema sync has completed appropriately (you might do a schema compare between the server with the master of [Root] and the server you're authenticating to if you have more than one server in the tree). If there is more than one server in the tree, you also need to be sure that the LDAP server you're contacting has a local replica (easiest configuration) or that you are properly configured to pass LDAP referrals back to PAM and that PAM will chase the referrals. It's been a while since I played around with this (I used to teach the eDirectory Advanced Technical Training for Novell), but off the top of my head, that's where I'd start. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Adam Tauno Williams -
Anders Johansson -
Anders Johansson -
James Pifer -
Jim Henderson -
Ralf Haferkamp