Ubuntu
libpam-ldap package

Bug #333460
Comment #4

Comment 4 for bug 333460

Revision history for this message

fidel (fidel-daniels) wrote on 2009-03-06: Re: [Bug 333460] Re: [Hardy][LDAP]client authentication broken

Hi
with pleasure, even though there is nothing relevant to ldap
authentication:

Mar 6 17:50:20 medulis sshd[4928]: Server listening on :: port 22.
Mar 6 17:50:21 medulis sshd[4928]: error: Bind to port 22 on 0.0.0.0
failed: Address already in use.
Mar 6 17:55:59 medulis sudo: root : TTY=unknown ; PWD=/ ;
USER=mirjam ; COMMAND=/usr/bin/gconftool
--get /system/http_proxy/use_http_proxy
Mar 6 17:55:59 medulis sudo: pam_unix(sudo:session): session opened for
user mirjam by (uid=0)
Mar 6 17:55:59 medulis sudo: pam_unix(sudo:session): session closed for
user mirjam
Mar 6 17:56:00 medulis sudo: root : TTY=unknown ; PWD=/ ;
USER=mirjam ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/host
Mar 6 17:56:00 medulis sudo: pam_unix(sudo:session): session opened for
user mirjam by (uid=0)
Mar 6 17:56:00 medulis sudo: pam_unix(sudo:session): session closed for
user mirjam
Mar 6 17:56:00 medulis sudo: root : TTY=unknown ; PWD=/ ;
USER=mirjam ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/port
Mar 6 17:56:00 medulis sudo: pam_unix(sudo:session): session opened for
user mirjam by (uid=0)
Mar 6 17:56:00 medulis sudo: pam_unix(sudo:session): session closed for
user mirjam
Mar 6 18:17:01 medulis CRON[12599]: pam_unix(cron:session): session
opened for user root by (uid=0)
Mar 6 18:17:01 medulis CRON[12599]: pam_unix(cron:session): session
closed for user root
Mar 6 18:17:17 medulis gdm[5712]: pam_unix(gdm:session): session opened
for user mirjam by (uid=0)
Mar 6 19:09:15 medulis sshd[18307]: Accepted password for fidel from
192.168.0.50 port 52652 ssh2
Mar 6 19:09:15 medulis sshd[18313]: pam_unix(sshd:session): session
opened for user fidel by (uid=0)
Mar 6 19:09:20 medulis sudo: fidel : TTY=pts/0 ; PWD=/home/fidel ;
USER=root ; COMMAND=/bin/su -
Mar 6 19:09:20 medulis sudo: pam_unix(sudo:session): session opened for
user root by fidel(uid=0)
Mar 6 19:09:20 medulis sudo: pam_unix(sudo:session): session closed for
user root
Mar 6 19:09:20 medulis su[18385]: Successful su for root by root
Mar 6 19:09:20 medulis su[18385]: + pts/0 root:root
Mar 6 19:09:20 medulis su[18385]: pam_unix(su:session): session opened
for user root by fidel(uid=0)

Really no clue, still I cannot exclude that I am missing some
configuration!!! Since on Gentoo authentication configuration is quite
transparent and in Fedora it is quite "automagic" with authconfig it is
of course possible that I did not do everything right. I already stated
the configuration of the system authentication, missed the
entire /etc/nsswitch.conf though:
/etc/nsswitch.conf:
passwd: ldap files # compat
group: ldap files # compat
shadow: ldap files # compat

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files dns

services: db files
protocols: db files
rpc: db files
ethers: db files

netgroup nis

And of course the ldap configuration:
/etc/ldap.conf:

host 192.168.0.1
base dc=hektor,dc=nigel

uri ldap://hektor.nigel/

ldap_version 3
rootbindn cn=admin,dc=hektor,dc=nigel
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/hektor.pem
nss_base_passwd ou=People,dc=hektor,dc=nigel
nss_base_shadow ou=People,dc=hektor,dc=nigel
nss_base_group ou=Group,dc=hektor,dc=nigel
nss_base_hosts ou=Hosts,dc=hektor,dc=nigel
nss_initgroups_ignoreusers
avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,polkituser,proxy,pulse,root,sshd,statd,sync,sys,syslog,uucp,www-data

/etc/ldap/ldap.conf:

BASE dc=hektor,dc=nigel
URI ldap://hektor.nigel
TLS_CACERT /etc/ldap/ssl/hektor.pem
TLS_REQCERT never

Greets
Dave

Am Freitag, den 06.03.2009, 16:33 +0000 schrieb Adam Sommer:
> Can you post the relevant lines of /var/log/auth.log when trying to
> login as a LDAP user?
>

Hi 
with pleasure, even though there is nothing relevant to ldap
authentication:

Mar  6 17:50:20 medulis sshd[4928]: Server listening on :: port 22.
Mar  6 17:50:21 medulis sshd[4928]: error: Bind to port 22 on 0.0.0.0
failed: Address already in use.
Mar  6 17:55:59 medulis sudo:     root : TTY=unknown ; PWD=/ ;
USER=mirjam ; COMMAND=/usr/bin/gconftool
--get /system/http_proxy/use_http_proxy
Mar  6 17:55:59 medulis sudo: pam_unix(sudo:session): session opened for
user mirjam by (uid=0)
Mar  6 17:55:59 medulis sudo: pam_unix(sudo:session): session closed for
user mirjam
Mar  6 17:56:00 medulis sudo:     root : TTY=unknown ; PWD=/ ;
USER=mirjam ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/host
Mar  6 17:56:00 medulis sudo: pam_unix(sudo:session): session opened for
user mirjam by (uid=0)
Mar  6 17:56:00 medulis sudo: pam_unix(sudo:session): session closed for
user mirjam
Mar  6 17:56:00 medulis sudo:     root : TTY=unknown ; PWD=/ ;
USER=mirjam ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/port
Mar  6 17:56:00 medulis sudo: pam_unix(sudo:session): session opened for
user mirjam by (uid=0)
Mar  6 17:56:00 medulis sudo: pam_unix(sudo:session): session closed for
user mirjam
Mar  6 18:17:01 medulis CRON[12599]: pam_unix(cron:session): session
opened for user root by (uid=0)
Mar  6 18:17:01 medulis CRON[12599]: pam_unix(cron:session): session
closed for user root
Mar  6 18:17:17 medulis gdm[5712]: pam_unix(gdm:session): session opened
for user mirjam by (uid=0)
Mar  6 19:09:15 medulis sshd[18307]: Accepted password for fidel from
192.168.0.50 port 52652 ssh2
Mar  6 19:09:15 medulis sshd[18313]: pam_unix(sshd:session): session
opened for user fidel by (uid=0)
Mar  6 19:09:20 medulis sudo:    fidel : TTY=pts/0 ; PWD=/home/fidel ;
USER=root ; COMMAND=/bin/su -
Mar  6 19:09:20 medulis sudo: pam_unix(sudo:session): session opened for
user root by fidel(uid=0)
Mar  6 19:09:20 medulis sudo: pam_unix(sudo:session): session closed for
user root
Mar  6 19:09:20 medulis su[18385]: Successful su for root by root
Mar  6 19:09:20 medulis su[18385]: + pts/0 root:root
Mar  6 19:09:20 medulis su[18385]: pam_unix(su:session): session opened
for user root by fidel(uid=0)

Quite interesting though the fact, that only xscreensaver is connected
to the ldap server:
 # netstat -patu
Aktive Internetverbindungen (Server und stehende Verbindungen)
Proto Recv-Q Send-Q Local Address           Foreign Address
State       PID/Program name
tcp        0      0 *:37379                 *:*
LISTEN      5374/rpc.statd  
tcp        0      0 *:33093                 *:*
LISTEN      -               
tcp        0      0 medulis.nigel:mysql     *:*
LISTEN      5055/mysqld     
tcp        0      0 *:sunrpc                *:*
LISTEN      4306/portmap    
tcp        0      0 *:ipp                   *:*
LISTEN      5177/cupsd      
tcp        0      0 medulis.nigel:35861     mimas-nxge0.switch.:www
TIME_WAIT   -               
tcp        0      0 medulis.nigel:48330     192.168.0.1:ldap
VERBUNDEN   13265/xscreensaver
tcp        0      0 medulis.nigel:41590     84-75-125-185.dcl:imap2
VERBUNDEN   13453/evolution 
tcp        0      0 medulis.nigel:56430     ns2.whoswe.ch:imap2
VERBUNDEN   13453/evolution 
tcp        0      0 medulis.nigel:999       192.168.0.1:nfs
VERBUNDEN   -               
tcp6       0      0 [::]:ssh                [::]:*
LISTEN      4928/sshd       
tcp6       0      0 [::]:ipp                [::]:*
LISTEN      5177/cupsd      
tcp6       0      0 medulis.nigel:ssh       fidelski.nigel:52652
VERBUNDEN   18307/sshd: fidel [
udp        0      0 *:51257                 *:*
5773/avahi-daemon: 
udp        0      0 *:bootpc                *:*
4320/dhclient3  
udp        0      0 *:46535                 *:*
5374/rpc.statd  
udp        0      0 *:mdns                  *:*
5773/avahi-daemon: 
udp        0      0 *:sunrpc                *:*
4306/portmap    
udp        0      0 *:886                   *:*
5374/rpc.statd  
udp        0      0 *:ipp                   *:*
5177/cupsd

Really no clue, still I cannot exclude that I am missing some
configuration!!! Since on Gentoo authentication configuration is quite
transparent and in Fedora it is quite "automagic" with authconfig it is
of course possible that I did not do everything right. I already stated
the configuration of the system authentication, missed the
entire /etc/nsswitch.conf though:
/etc/nsswitch.conf:
passwd:	ldap files # compat
group:	ldap files # compat
shadow:	ldap files # compat

hosts:       files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files

netgroup     nis

And of course the ldap configuration:
/etc/ldap.conf:

host 192.168.0.1
base dc=hektor,dc=nigel

uri ldap://hektor.nigel/

ldap_version 3
rootbindn cn=admin,dc=hektor,dc=nigel
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/hektor.pem
nss_base_passwd ou=People,dc=hektor,dc=nigel
nss_base_shadow ou=People,dc=hektor,dc=nigel
nss_base_group  ou=Group,dc=hektor,dc=nigel
nss_base_hosts  ou=Hosts,dc=hektor,dc=nigel
nss_initgroups_ignoreusers
avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,polkituser,proxy,pulse,root,sshd,statd,sync,sys,syslog,uucp,www-data

/etc/ldap/ldap.conf:

BASE dc=hektor,dc=nigel
URI ldap://hektor.nigel
TLS_CACERT /etc/ldap/ssl/hektor.pem
TLS_REQCERT never

Greets
Dave

Am Freitag, den 06.03.2009, 16:33 +0000 schrieb Adam Sommer:
> Can you post the relevant lines of /var/log/auth.log when trying to
> login as a LDAP user?
>

Ubuntulibpam-ldap package

Comment 4 for bug 333460

Ubuntu
libpam-ldap package