| ranton@iinet.net.au 2007-01-10, 1:18 pm |
| Hi All,
Having a major headache with openldap and the pam_ldap libraries that I
am hoping someone can assis me with.
I am using openldap 2.3.27 and the padl librares ( nss_ldap and
pam_ldap ) on a Solaris 9 server to authenticate to Windows 2003 AD
Server.
I have compilied the software with the following :
OpenLDAP 2.3.27 :
../configure --disable-slapd --disable-slurpd --with-tls
--without-cyrus-sasl --enable-syslog --sysconfdir=/etc
--localstatedir=/var
Padl PAM_LDAP 1.82 :
../configure --sysconfdir=/etc --localstatedir=/var
--with-ldap-lib=openldap --with-ldap-dir=/usr/local/lib
--with-ldap-secret-file=/etc/ldap.secret
Padl NSS_LDAP 2.53:
../configure --enable-schema-mapping --enable-rfc2307bis
--sysconfdir=/etc --localstatedir=/var --enable-debugging
--with-ldap-lib=openldap --with-ldap-secret-file=/etc/ldap.secret
/etc/openldap/ldap.conf :
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
URI ldap://dc1.igi-dev.ig.local
BASE ou=IG Users,dc=igi-dev,dc=ig,dc=local
TIMELIMIT 30
/etc/ldap.conf :
host dc1.igi-dev.ig.local
#uri ldap://dc1.igi-dev.ig.local
base dc=igi-dev,dc=ig,dc=local
ldap_version 3
scope sub
binddn cn=ldapuser,ou=Application Accounts,ou=IG-DEV
Resources,dc=igi-dev,dc=ig,dc=local
bindpw <PASSWORD REMOVED FOR NEWSGROUP>
rootbinddn cn=ldapuser,ou=Application Accounts,ou=IG-DEV
Resources,dc=igi-dev,dc=ig,dc=local
# The port.
# Optional: default is 389. SSL LDAP Port 636
port 389
# RFC2307bis naming contexts
nss_base_passwd OU=IG Users,DC=igi-dev,DC=ig,DC=local
nss_base_shadow OU=IG Users,DC=igi-dev,DC=ig,DC=local
nss_base_group OU=UNIX-Groups,OU=UNIX-OU,DC=igi-dev,DC=ig,DC=local
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
nss_map_attribute memberUid msSFU30MemberUid
# PAM_LDAP options
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
logdir /var/ldap
debug 1
ssl no
timelimit 30
bind_timelimit 30
/etc/nsswitch.conf :
passwd: files ldap
group: files ldap
All is ok with the AD lookups :
root@lsdevnix001:/var/log # getent passwd ldapfour
ldapfour:*:15105:10000:test ldapfour:/home/ldapfour:/bin/sh
root@lsdevnix001:/var/log # grep ldapfour /etc/passwd
root@lsdevnix001:/var/log #
But no matter what I've tried I can not get pam to authenticate a user.
My /etc/pam.conf looks like this ( I've taken out the other entries ) :
sshd auth sufficient pam_ldap.so.1 try_first_pass debug
sshd auth sufficient pam_unix.so.1
sshd account sufficient pam_ldap.so.1
sshd account required pam_unix_account.so.1
ssh has been compiled for pam. I've tried telnet too but same result.
Even a snoop on the LDAP traffic between the solaris server and AD
server shows it LDAP is working :
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: cn=ldapuser,ou=Application Accou
LDAP: nts,ou=IG-DEV Resources,dc=igi-d
LDAP: ev,dc=ig,dc=local
LDAP: Authentication: Simple [0]
LDAP: <PASSWORD OMITTED FOR NEWSGROUP POST>
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: Success
LDAP: [Matched DN]
All I get is the message "Login Incorrect" when I try to ssh/telnet to
solaris server
Anyone have any ideas how to get PAM to co-operate ?
Thanks,
Rob.
|