PAM LDAP queries attempt to bind with empty binddn
in [Debian]
|
From: John A. Sullivan III on 10 Feb 2010 16:20 On Wed, 2010-02-10 at 21:30 +0100, Predrag Gavrilovic wrote: > I believe you shold set "rootbinddn" and "rootpw" in pam_ldap.conf. > That's what's used when lookup is done by process with effective user > id is 0. Hmm . . . we intentionally don't want to do that and Ubuntu works without it. We activated it anyway and restarted the vserver to test but received the same results: [10/Feb/2010:16:02:17 -0500] conn=64962 fd=65 slot=65 connection from 172.29.1.253 to 172.30.10.49 [10/Feb/2010:16:02:17 -0500] conn=64962 op=0 BIND dn="" method=128 version=3 [10/Feb/2010:16:02:17 -0500] conn=64962 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [10/Feb/2010:16:02:17 -0500] conn=64962 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=messagebus))" attrs=ALL [10/Feb/2010:16:02:17 -0500] conn=64962 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [10/Feb/2010:16:02:17 -0500] conn=64962 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=messagebus))" attrs="gidNumber" [10/Feb/2010:16:02:17 -0500] conn=64962 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=U > > > On Wed, Feb 10, 2010 at 5:07 PM, John A. Sullivan III > <jsullivan(a)opensourcedevel.com> wrote: > > Hello, all. We have just started to explore Debian Lenny as a platform > > and have been delightfully impressed however we're hitting a problem > > using LDAP authentication that we have not experienced in RedHat or > > Ubuntu. We do not allow anonymous LDAP queries but rather > > configure /etc/pam_ldap.conf with a binddn and bindpw. > > > > Our LDAP queries are failing and, when we look at the access logs on our > > CentOS Directory Server 8.1, we see the binddn is empty: <snip> > > We could very likely have a missing package. This is a vserver and they > > install a very skeleton base system. For example, the system initially > > did not query at all until we realized we needed to install passwd. > > This is an X2Go print server (hopefully many desktops to come > > immediately after!) so we have installed: > > > > apt-get install locales less joe cups-x2go openssh-client cups > > foomatic-db-gutenprint gutenprint-locales openprinting-ppds > > cups-driver-gutenprint cups-pdf foomatic-db foomatic-filters openssl > > libnss-ldap libpam-ldap nscd libpam-cracklib passwd > > <snip> I'm wondering if there is a missing service rather than a missing file. What service or daemon would fill in that information. We aggressively strip out unnecessary services from our vservers, especially any having to do with the hardware. This is from our internal documentation: Clean up the rc directories: cd /etc rm rc*.d/*kdm rm rc*.d/*dirmngr rm rc*.d/*fancontrol rm rc*.d/*lisa rm rc*.d/*rsync rm rc*.d/*saned rm rc*.d/*avahi-daemon rm rc*.d/*portmap rm rc*.d/*hpoj rm rc*.d/*lpd rm rc*.d/*libchipcard-tools rm rc*.d/*stop-bootlogd rm rc*.d/*winbind rm rc*.d/*hwclock.sh rm rc*.d/*mountoverflowtmp rm rc*.d/*urandom rm rc*.d/*umountnfs.sh rm rc*.d/*networking rm rc*.d/*ifupdown rm rc*.d/*umountfs rm rc*.d/*umountroot rm rc*.d/*binfmt-support cd rcS.d rm *udev rm *hdparm rm *pppd-dns rm *lm-sensors rm S05bootlogd rm S01glibc.sh rm S02hostname.sh rm S02mountkernfs.sh rm S04mountdevsubfs.sh rm S08hwclockfirst.sh rm S10checkroot.sh rm S11hwclock.sh rm S12mtab.sh rm S18ifupdown-clean rm S20module-init-tools rm S30checkfs.sh rm S30procps rm S35mountall.sh rm S36mountall-bootclean.sh rm S36udev-mtab rm S37mountoverflowtmp rm S39ifupdown rm S40networking rm S45mountnfs.sh rm S46mountnfs-bootclean.sh rm S55bootmisc.sh rm S55urandom rm S99stop-bootlogd-single > > We've restarted the vserver several times to be sure. Even something as > > simple is id <some user> fails and we see the empty DN. If we download > > ldap-utils and do an ldapsearch, queries succeed using the parameters > > given above in pam_ldap.conf. An almost identical setup works in both > > CentOS 5.0.4 and Ubuntu Hardy. What is different with Debian and what > > did we do wrong? Any help would be greatly appreciated as I've lost days > > tracking this down with no answer. Thanks - John > > > > > > > > -- > > To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org > > > > > > -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: John A. Sullivan III on 10 Feb 2010 16:30 On Thu, 2010-02-11 at 07:50 +1100, Alex Samad wrote: > <snip> > > On Thu, 2010-02-11 at 06:42 +1100, Alex Samad wrote: > > > On Wed, Feb 10, 2010 at 11:07:05AM -0500, John A. Sullivan III wrote: > > > > Hello, all. We have just started to explore Debian Lenny as a platform > > > > and have been delightfully impressed however we're hitting a problem > > > > using LDAP authentication that we have not experienced in RedHat or > > > > Ubuntu. We do not allow anonymous LDAP queries but rather > > > > configure /etc/pam_ldap.conf with a binddn and bindpw. > > > > > > > > Our LDAP queries are failing and, when we look at the access logs on our > > > > CentOS Directory Server 8.1, we see the binddn is empty: > > > > > > > Hi > > > > > > on my debian system I have a couple of packages installed to handle ldap > > > userid db. > > > > > > pam handles one side of it but you need the nss stuff as well. There > > > are 2 sets of packages, the one I use (I like it better - works how I > > > like it to work and seems to be getting active maintenance). > > > > > > nslcd and with this you will need libnss-ldapd & libpam-ldapd they both > > > need config files in /etc > > libnss-ldap and libpam-ldap are installed. I do not see a packaged > > named nslcd unless it's a typo for nscd which is installed as well. > > no nslcd is not a typo, like I said there are 2 streams/groups of > packages for pam integration you have the !older! ones. have a look at > nslcd and its partner packages I have found them to more stable. > > > > > > > > > > > [snip] > > > > > > > > > > > pam_ldap.conf looks like this: > > > > > > > > > > [snip] > > > > > > you need to look at the nss config file as well > > Do you mean nsswitch.conf? If so, we did address that - files ldap for > > passwd, group, and shadow. > > nope this file /etc/nss-ldapd.conf used for the nss side of things which > is what getent uses and tools like nsswitch, glibc & whoami <snip> Ah! That was it and that's what's different. CentOS and Ubuntu do not separate them. I was wondering why there was a pam_ldap.conf instead of an ldap.conf. I assumed it was to eliminate conflict with openldap's ldap.conf. I didn't realize it was to distinguish it from nss-ldap.conf. Regarding nslcd, in which repository is it? I did an apt-cache search nslcd and it returned nothing. Thanks very, very much - John -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Tony Nelson on 10 Feb 2010 17:30 On 10-02-10 15:50:40, Alex Samad wrote: ... > > > On Wed, Feb 10, 2010 at 11:07:05AM -0500, John A. Sullivan III > > > wrote: > > > > Hello, all. We have just started to explore Debian Lenny as > > > > a platform ... > no nslcd is not a typo, like I said there are 2 streams/groups of > packages for pam integration you have the !older! ones. have a look > at nslcd and its partner packages I have found them to more stable. ... Not in Lenny (or Lenny-Backports). In Squeeze and Sid. -- ____________________________________________________________________ TonyN.:' <mailto:tonynelson(a)georgeanelson.com> ' <http://www.georgeanelson.com/> -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Alex Samad on 10 Feb 2010 19:50
On Wed, Feb 10, 2010 at 05:22:50PM -0500, Tony Nelson wrote: > On 10-02-10 15:50:40, Alex Samad wrote: > ... > > > > On Wed, Feb 10, 2010 at 11:07:05AM -0500, John A. Sullivan III > > > > wrote: > > > > > Hello, all. We have just started to explore Debian Lenny as > > > > > a platform > ... > > > no nslcd is not a typo, like I said there are 2 streams/groups of > > packages for pam integration you have the !older! ones. have a look > > at nslcd and its partner packages I have found them to more stable. sorry bad choice of words. I have found nslcd to be more reliable > ... > > Not in Lenny (or Lenny-Backports). In Squeeze and Sid. > -- "I am here to make an announcement that this Thursday, ticket counters and airplanes will fly out of Ronald Reagan Airport. " - George W. Bush 10/03/2001 Washington, DC |