3

I'm trying to set up on a openldap server running on debian 6 the ssh authentication on a ldap-client host named ldap_client.

Here is what ldapsearch returns on server:

dn: dc=localnet,dc=lan
objectClass: dcObject
objectClass: organization
dc: localnet 
o: Some_Enterprise
description: localnet.lan

dn: ou=people,dc=localnet,dc=lan
objectClass: top
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=localnet,dc=lan
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: uid=joe,ou=people,dc=localnet,dc=lan
objectClass: account
objectClass: posixAccount
cn: joe
uid: joe
uidNumber: 10001
gidNumber: 2000
homeDirectory: /home/joe
loginShell: /bin/sh
gecos: joe
description: joe

On the client side, I have configured libnss-ldap and nsswitch.conf as follow;

passwd:         files ldap
group:          files ldap
shadow:         files ldap

So that the unix command id on the client (id joe) returns its uid/gid. So the user is recognized by ldap.

But after hours goofing around google, I have not been able to set up the authentication on the client with ssh.

I have these lines at /etc/pam.d/commun-account, commun-auth and commun-password

auth        sufficient      pam_ldap.so
auth        required        pam_unix.so nullok_secure

And these on /etc/pam.d/ssh

auth    sufficient /lib/security/pam_ldap.so    no_warn
auth    required  pam_unix.so           no_warn try_first_pass
account required  /lib/security/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
account         required        pam_unix.so

I have the usePam=yes on /etc/ssh/sshd.conf.

Here are the output of auth.log on the client:

==> /var/log/auth.log <==
Dec  7 17:39:06 versionning sshd[3898]: pam_ldap: error trying to bind (Invalid credentials)
Dec  7 17:39:06 versionning sshd[3898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.kimsufi.com  user=joe
Dec  7 17:39:08 versionning sshd[3898]: Failed password for joe from a.b.c.d port 58191 ssh2

On the server: ==> /var/log/syslog <== Dec 7 16:42:43 ldap slapd[963]: <= bdb_equality_candidates: (uid) not indexed

and with tshark

LDAP bindResponse(1) invalidCredentials

I don't understand where and how I have to configure the joe's password. Not on the local unix account of the client, so on the server; I don't know where to do that

voretaq7
  • 79,345
  • 17
  • 128
  • 213
philippe
  • 2,131
  • 4
  • 30
  • 53
  • 2
    `uid=joe,ou=people,dc=localnet,dc=lan` doesn't have a `userPassword` attribute or are the LDAP server's ACLs preventing you from seeing it? – 84104 Dec 07 '11 at 16:58

2 Answers2

4

The posixAccount LDAP Object Class has a userPassword attribute -- Set Joe's password here.
Once you've done that make certain you can bind to the LDAP directory as Joe (you can use ldapsearch to test that) - If that works pam_ldap should also work.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • Thank you for your quick answer. I have added a password filling the userPassword field and re-adding the ldif file used by the joe user. Still the command id returns appropriate data for joe, and no login success through ssh. I have reconfigured the libpam-modules, libpam-ldap packages dpkg-reconfigure libpam-modules dpkg-reconfigure libpam-ldap And the dpkg program solved this issue. Here is the content of /etc/pam.d/commun-account # here are the per-package modules (the "Primary" block) account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] p – philippe Dec 08 '11 at 16:39
2

Well, your joe object (dn: uid=joe,ou=people,dc=localnet,dc=lan) should have a userPassword attribute. This attribute holds the password hash representing the user's password. Read up on passwords and OpenLDAP here: http://www.openldap.org/faq/data/cache/419.html

daff
  • 4,729
  • 2
  • 26
  • 27