ldap authentication problem
Hi,
I have installed openldap server on 1 machine (10.40.10.186). It is CentOS 4.4. I created a ldap user named 'ramesh' on this machine. The openldap client is installed on another machine (10.40.10.217). It is CentOS 5. To enable ldap authentication, I modified 3 files on this machine: 1) /etc/ldap.conf 2) /etc/openldap/ldap.conf 3) /etc/nsswitch.conf I wish to access 10.40.10.217 using ldap-user ramesh. But I am unable to do so. The details are as follows: ================================================================= The output of "getent passwd ramesh" command on client machine (10.40.10.217) is: ramesh:x:701:700:Ramesh Patil:/home/ramesh:/bin/bash The output of "finger ramesh" command is: Login: ramesh Name: Ramesh Patil Directory: /home/ramesh Shell: /bin/bash Never logged in. No mail. No Plan. The output of ldapsearch command is as follows: dn: uid=ramesh,dc=mwm,dc=com objectClass: top objectClass: posixAccount objectClass: account objectClass: shadowAccount cn: Ramesh Patil uid: ramesh uidNumber: 701 gidNumber: 700 loginShell: /bin/bash homeDirectory: /home/ramesh shadowLastChange: 13908 shadowMin: 0 shadowMax: 99999 shadowInactive: -1 shadowWarning: 7 shadowFlag: 0 shadowExpire: -1 userPassword:: cmFtZXNo =========================================================== On client machine (10.40.10.217), the files are as follows: (PS: I have ignored comment lines in all files) 1) /etc/ldap.conf host 10.40.10.186 base dc=mwm,dc=com timelimit 120 bind_timelimit 120 idle_timelimit 3600 __________________________________________________________ 2) /etc/openldap/ldap.conf HOST 10.40.10.186 BASE dc=mwm,dc=com TLS_CACERTDIR /etc/openldap/cacerts __________________________________________________________ 3) /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc: files services: files ldap netgroup: nisplus ldap publickey: nisplus automount: files ldap aliases: files _________________________________________________________________________ On ldap-server machine (10.40.10.186), the /etc/openldap/slapd.conf is as follows: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema pidfile /var/run/slapd.pid argsfile /var/run/slapd.args database bdb suffix "dc=mwm,dc=com" rootdn "cn=Manager,dc=mwm,dc=com" rootpw {SSHA}ZU7FCC7Y+RDeMnC6Y4q2YPa6KOd5TyTS directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub ============================================================== I read many how-to and manuals regarding ldap authentication. Still no success in solving this problem. Kindly tell me if I am missing something. Thanks in advance. Raghavendra. |
You are missing libpam-ldap or just haven't configured it yet.
|
problem solved
Hi,
Thanks rupertwh for your advice. On client machine (10.40.10.217) I run the following command: # authconfig-tui It displayed a menu as shown below. I selected the options as indicated by asterisk(*). ───────────────┤ Authentication Configuration ├──────────────── User Information _______ Authentication [ ] Cache Information ____[*] Use MD5 Passwords [ ] Use Hesiod _________[*] Use Shadow Passwords [*] Use LDAP ___________[*] Use LDAP Authentication [ ] Use NIS ____________ [ ] Use Kerberos [ ] Use Winbind ________ [ ] Use SMB Authentication ______________________ [ ] Use Winbind Authentication ______________________[*] Local authorization is sufficient ┌──────┐ ┌────┐ │Cancel│ │Next│ └──────┘ └────┘ ________________________________________________________________ On clicking "Next" the following menu was displayed. I entered the Server and Base DN as shown below: (Note: 10.40.10.186 is the machine where ldap server is installed). ────────────────┤ LDAP Settings ├─────────────── [ ] Use TLS Server: ldap://10.40.10.186/____________________ Base DN: dc=mwm,dc=com__________________________ ┌────┐ ┌──┐ │Back│ │Ok│ └────┘ └──┘ ──────────────────────────────────────────────── This solved the problem. Now I am able to login on client machine(10.40.10.217) using ldap-user. |
RHEL 5 - LDAP user authentication
The task is to have the server using corporate ldap server for user authentication.
I have spend several days but unable to move any further except following: 1) I have installed.... ------------------------------------------------------------------------------------------------------------ nss_ldap-253-3 openldap-2.3.27-5 openldap-clients-2.3.27-5 2) Configured ldap client and can hit the ldap server and get following response: ------------------------------------------------------------------------------------------------------------ [root@poc-mcs-004 etc]# ldapsearch -x -LLL uid=muhshaik dn: uid=muhshaik,ou=active,ou=employees,ou=people,o=cisco.com voicemail: XXX XXXX telephoneNumber: +1 XXX XXX XXXX ciscoITInternalPhoneNumber: XXXXXXX state: CALIFORNIA site: San Jose Site 4 roomNumber: G5-9 registeredAddress: 3550 Cisco Way postOfficeBox: SJC19/4/4 postalCode: 95134 locationtype: TRADITIONAL floor: 4 country: United States city: San Jose building: SJ-19 groupmembership: allusers groupmembership: c2cusers groupmembership: c2users groupmembership: cdo_all groupmembership: csg-codedrop groupmembership: dpt21633 groupmembership: engall groupmembership: engonly groupmembership: fit-users groupmembership: guido groupmembership: ibsgit groupmembership: owt370-r groupmembership: owtallusers groupmembership: relops-website groupmembership: rlspreview-eng groupmembership: solpmt groupmembership: tsbu manageruid: XXXXX vendorname: XXX Software Services Inc facsimileTelephoneNumber: status: Active acquisitionno: mobile: seeAlso: publishpager: n labeledUri: title: System Engineer employeeNumber: XXXXXX utcoffset: cn: Mxxxxxxx Sxxxxx employeeType: Vendor uid: muhshaik epage: n publishmobile: n middleinitial: description: TXBU Engineering mail: muhshaik@cisco.com supportorganization: n objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: ciscoPerson secondaryaddress: nickname: publishpicture: y manager: Gxxxx Hxxx (gxxxxx) directreports: sn: Shaikh givenName: Mxxxxxxx departmentNumber: XXXXXXXXX Also see the configuration for pam: ------------------------------------------------------------------------------------------------------------ [root@poc-mcs-004 pam.d]# cat system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so But when I try to login as muhshaik, it fails as Access Denied, I grep for logs as: ------------------------------------------------------------------------------------------------------------ login as: muhshaik muhshaik@poc-mcs-004's password: Access denied muhshaik@poc-mcs-004's password: See messages in log files: ------------------------------------------------------------------------------------------------------------ tail -f /var/log/messages Feb 26 22:54:01 poc-mcs-004 snmpd[12320]: error on subcontainer '' insert (-1) Feb 26 22:54:22 poc-mcs-004 nscd: nss_ldap: reconnected to LDAP server ldap://171.70.150.78 after 1 attempt Feb 26 22:54:31 poc-mcs-004 snmpd[12320]: error on subcontainer 'ia_addr' insert (-1) Feb 26 22:54:31 poc-mcs-004 snmpd[12320]: error on subcontainer 'ia_addr' insert (-1) Feb 26 22:54:31 poc-mcs-004 snmpd[12320]: error on subcontainer '' insert (-1) tail -f /var/log/secure Feb 26 22:54:22 poc-mcs-004 sshd[25721]: Invalid user muhshaik from 10.21.67.114 Feb 26 22:54:22 poc-mcs-004 sshd[25722]: input_userauth_request: invalid user muhshaik Feb 26 22:54:27 poc-mcs-004 sshd[25721]: pam_unix(sshd:auth): check pass; user unknown Feb 26 22:54:27 poc-mcs-004 sshd[25721]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sjc-vpn3-882.cisco.com Feb 26 22:54:27 poc-mcs-004 sshd[25721]: pam_succeed_if(sshd:auth): error retrieving information about user muhshaik Feb 26 22:54:28 poc-mcs-004 sshd[25721]: Failed password for invalid user muhshaik from 10.21.67.114 port 2718 ssh2 Could some please let me know what is wrong here, am I doing something missing here, why my login is not working. |
Am I blind? I can't see a password in the user entry.
Here's what I have in a trial ldap entry (just play directory), difference schema by the looks Code:
dn: uid=elsie,ou=People,dc=example,dc=com |
In the world of the LDAP turns LOL
I have FDS running. Runs good (IMHO) have SSL/TLS or is that TLS/SSL not sure have three computers fdstest.example.edu home.example.edu client.example.edu If I turn off the TLS on the client authentication and AUTOMOUNT works great!! turn on TLS and I get gdm-binary[2393]: nss_ldap: reconnecting to LDAP server (sleeping * seconds) gdmgreeter[2393]: nss_ldap: reconnecting to LDAP server (sleeping * seconds) I have entries for fdstest, home, & client in the /etc/hosts I have entries in the /etc/openldap/ldap.conf for URI, BASE, HOST, TLS_CACERTDIR, and TLS_RQCERT on the home.example.edu and client.example.edu have copies of the cert on the client and home (did diff on them to verify they are the same JUST in case they were bad or something) home.example.edu is able to authenticate with TLS but client is not able too any thoughts on troubleshooting to solve this issue? **update** I am able to ping via FQDN (from client) home & fdstest I am able to ssh VIA fqdn (from client) home & fdstest I will continue to post what I find |
here is a cut and paste (modified for public viewing) /var/log/dirsrv/slapd-instance/access
" [01/Apr/2008:16:13:15 -0400] conn=59 op=1 fd=64 closed - U1 [01/Apr/2008:16:14:19 -0400] conn=60 fd=64 slot=64 connection from 192.168.2.6 to 192.168.2.5 [01/Apr/2008:16:14:19 -0400] conn=60 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [01/Apr/2008:16:14:19 -0400] conn=60 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [01/Apr/2008:16:14:19 -0400] conn=60 SSL 256-bit AES [01/Apr/2008:16:14:19 -0400] conn=60 op=1 UNBIND [01/Apr/2008:16:14:19 -0400] conn=60 op=1 fd=64 closed - U1 [01/Apr/2008:16:14:19 -0400] conn=61 fd=65 slot=65 connection from 192.168.2.6 to 192.168.2.5 [01/Apr/2008:16:14:19 -0400] conn=61 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [01/Apr/2008:16:14:19 -0400] conn=61 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [01/Apr/2008:16:14:19 -0400] conn=61 SSL 256-bit AES " /var/log/dirsrv/slapd-instance/errors " [01/Apr/2008:15:58:51 -0400] - Fedora-Directory/1.1.0 B2008.03.27 starting up [01/Apr/2008:15:58:52 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2008:15:58:52 -0400] - Listening on All Interfaces port 636 for LDAPS requests " It takes long long period of time before the computer boots then it still wont authenticate a user |
Hy,
I have the same problem, please tell me if you find a solution to it. Thanks |
I am sorry I did not post my solution. Sometimes I will have so many threads going in different areas I loose track.
solutions I have found for several different issues. please excuse and check spelling, typos and so forth, because I am not a typist LOL in /etc/openldap/ldap.conf you will need to verify uri ldap//123.123.123.123 **ldap servers IP address base dc=examplehost, dc=exampledomain, dc=edu TLS_CACERTDIR /etc/openldap/cacerts/ **verify this is the path to the cacert TLS_REQCERT allow ***this is something you will more than likely need to add @@@@@@@@@@@@@@@@@@@@@@@@@@@@ /etc/ldap.conf same here verify info is here too base dc=examplehost, dc=exampledomain, dc=edu *****this is the one that got me********** #OpenLDAP SSL options #Require and verify server certificate (yes/no) #Default is to use libldap's default behavior, which can be configured in #/etc/openldap/ldap.conf using the TLS_REQCERT setting. the default for #OpenLDAP 2.0 and earlier is"no", for 2.1 and later is "yes" tls_checkpeer no *must uncomment and change to no for as your can see above uri ldap://123.123.123.123 *the IP address for your ldap server sssl start_tls *verify this it is suppose to change when you change system-config-authentication tls_cacertdir /etc/openldap/cacerts *the path to the cacert pam passwords md5 ******** these are the some of the things I look for in troubleshooting ldap issues for me usually what I do is ssh in two terminal windows to the ldap server (from the client pc that is logged in local account) as root tail -f /var/log/messages in one terminal tail -f /var/dirsrv/slapd-*instance*/access in the other terminal then I su - *username* and see what happens in the log files hope that didnt sound to newbie LOL now if there are other things going on let me know...I might have run accross it and if I didnt I probably will in time |
All times are GMT -5. The time now is 01:51 AM. |