libpam-ldap does not authenticate users

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

libpam-ldap does not authenticate users

Matt Clauson
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All:  having problems getting libpam-ldap to authenticate users.
libnss-ldap does exactly fine when running the same base -- but PAM will
not.  Moreso, I get the following errors when I try to login to the box
by ssh or on the console (ssh errors below):

Nov 29 10:26:33 ldaptest0 sshd[4421]: Illegal user mclauson from
::ffff:69.145.252.167
Nov 29 10:26:33 ldaptest0 sshd[4421]: Failed none for illegal user
mclauson from ::ffff:69.145.252.167 port 2413 ssh2
Nov 29 10:26:38 ldaptest0 sshd[4421]: pam_ldap: error trying to bind as
user "uid=mclauson,dc=advserv,dc=bresnan,dc=com" (Invalid credentials)
Nov 29 10:26:38 ldaptest0 sshd[4421]: (pam_unix) check pass; user unknown
Nov 29 10:26:38 ldaptest0 sshd[4421]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=host-69-145-252-167.bln-mt.client.bresnan.net
Nov 29 10:26:40 ldaptest0 sshd[4421]: error: PAM: Permission denied for
illegal user mclauson from host-69-145-252-167.bln-mt.client.bresnan.net
Nov 29 10:26:40 ldaptest0 sshd[4421]: Failed keyboard-interactive/pam
for illegal user mclauson from ::ffff:69.145.252.167 port 2413 ssh2

Config files below -- suggestions?

pam_ldap.conf/libnss-ldap.conf (same file):
host 127.0.0.1
base dc=advserv,dc=example,dc=com
ldap_version 3

#binddn cn=nssuser,dc=advserv,dc=example,dc=com
#bindpw password

rootbinddn cn=admin,dc=advserv,dc=example,dc=com

#timelimit 30
#bind_timelimit 30
#bind_policy hard
#idle_timelimit 3600

#pam_filter objectclass=account
#pam_login_attribute uid
#pam_lookup_policy yes
#pam_check_host_attr yes
#pam_check_service_attr yes

#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
#pam_member_attribute uniquemember
#pam_min_uid 0
#pam_max_uid 0
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

pam_password exop
#pam_password_prohibit_message Please visit http://internal to change
your password.

#ssl start_tls
#ssl on
#tls_checkpeer yes
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
#tls_randfile /var/run/egd-pool
#tls_ciphers TLSv1
#tls_cert
#tls_key
#sasl_secprops maxssf=0

#krb5_ccname FILE:/etc/.ldapcache
#pam_sasl_mech DIGEST-MD5
# end pam_ldap.conf

/etc/pam.d/common-auth:
auth    sufficient      pam_ldap.so try_first_pass ignore_unknown_user
auth    sufficient      pam_unix.so try_first_pass nullok_secure
#end common-auth

/etc/pam.d/common-account:
auth    sufficient      pam_ldap.so ignore_unknown_user
auth    sufficient      pam_unix.so
#end common-account

/etc/pam.d/common-session:
auth    sufficient      pam_ldap.so ignore_unknown_user
auth    sufficient      pam_unix.so
#end common-session

- --mec
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDjJAzvDNtj3aXDYkRAmYYAJwJT44syfTXVByXBLheGg5R6JKJMgCfadmf
1TgcKogjVysg/29ivMAN2GI=
=nQDb
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]