PAM LDAP queries attempt to bind with empty binddn
in [Debian]
|
From: John A. Sullivan III on 10 Feb 2010 11:10 Hello, all. We have just started to explore Debian Lenny as a platform and have been delightfully impressed however we're hitting a problem using LDAP authentication that we have not experienced in RedHat or Ubuntu. We do not allow anonymous LDAP queries but rather configure /etc/pam_ldap.conf with a binddn and bindpw. Our LDAP queries are failing and, when we look at the access logs on our CentOS Directory Server 8.1, we see the binddn is empty: [10/Feb/2010:10:01:47 -0500] conn=52684 fd=74 slot=74 connection from 172.29.2.8 to 172.30.10.49 [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 BIND dn="" method=128 version=3 [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=debian-xfs))" attrs=ALL [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=debian-xfs))" attrs="gidNumber" [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=U [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=nobody))" attrs=ALL [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=nobody))" attrs="gidNumber" [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 RESULT err=0 tag=101 nentries=0 etime=0 notes=U pam_ldap.conf looks like this: base dc=ssiservices,dc=biz uri ldap://ldap02.ssiservices.biz/ ldap_version 3 binddn uid=someid,dc=ssiservices,dc=biz bindpw somelongpassword #rootbinddn cn=manager,dc=padl,dc=com We have disabled SSL for now. nsswitch.conf looks like: passwd: files ldap group: files ldap shadow: files ldap We could very likely have a missing package. This is a vserver and they install a very skeleton base system. For example, the system initially did not query at all until we realized we needed to install passwd. This is an X2Go print server (hopefully many desktops to come immediately after!) so we have installed: apt-get install locales less joe cups-x2go openssh-client cups foomatic-db-gutenprint gutenprint-locales openprinting-ppds cups-driver-gutenprint cups-pdf foomatic-db foomatic-filters openssl libnss-ldap libpam-ldap nscd libpam-cracklib passwd Here is how we set up pam and nscd: edit /etc/pam.d/common-account to read: account required pam_unix.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so edit /etc/pam.d/common-session so it reads: session required pam_limits.so session required pam_unix.so session optional pam_ldap.so edit /etc/pam.d/common-password so it reads: password sufficient pam_ldap.so password required pam_unix.so nullok obscure md5 password required pam_deny.so edit /etc/pam.d/common-auth so it reads: auth sufficient pam_unix.so nullok_secure auth requisite pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so Edit /etc/nscd.conf to change the group positive cache limit (positive-time-to-live) to 600 seconds from the default 3600. We've restarted the vserver several times to be sure. Even something as simple is id <some user> fails and we see the empty DN. If we download ldap-utils and do an ldapsearch, queries succeed using the parameters given above in pam_ldap.conf. An almost identical setup works in both CentOS 5.0.4 and Ubuntu Hardy. What is different with Debian and what did we do wrong? Any help would be greatly appreciated as I've lost days tracking this down with no answer. Thanks - John -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Alex Samad on 10 Feb 2010 14:50 On Wed, Feb 10, 2010 at 11:07:05AM -0500, John A. Sullivan III wrote: > Hello, all. We have just started to explore Debian Lenny as a platform > and have been delightfully impressed however we're hitting a problem > using LDAP authentication that we have not experienced in RedHat or > Ubuntu. We do not allow anonymous LDAP queries but rather > configure /etc/pam_ldap.conf with a binddn and bindpw. > > Our LDAP queries are failing and, when we look at the access logs on our > CentOS Directory Server 8.1, we see the binddn is empty: > Hi on my debian system I have a couple of packages installed to handle ldap userid db. pam handles one side of it but you need the nss stuff as well. There are 2 sets of packages, the one I use (I like it better - works how I like it to work and seems to be getting active maintenance). nslcd and with this you will need libnss-ldapd & libpam-ldapd they both need config files in /etc [snip] > > pam_ldap.conf looks like this: > [snip] you need to look at the nss config file as well > We could very likely have a missing package. This is a vserver and they > install a very skeleton base system. For example, the system initially > did not query at all until we realized we needed to install passwd. > This is an X2Go print server (hopefully many desktops to come > immediately after!) so we have installed: [snip] maybe you are missing stuff, like the nss ldap package. getent passwd should show you all your users work from there and then getent group > did we do wrong? Any help would be greatly appreciated as I've lost days > tracking this down with no answer. Thanks - John > > >
From: John A. Sullivan III on 10 Feb 2010 15:30 Thanks for the quick response. I'll answer in the text below - John On Thu, 2010-02-11 at 06:42 +1100, Alex Samad wrote: > On Wed, Feb 10, 2010 at 11:07:05AM -0500, John A. Sullivan III wrote: > > Hello, all. We have just started to explore Debian Lenny as a platform > > and have been delightfully impressed however we're hitting a problem > > using LDAP authentication that we have not experienced in RedHat or > > Ubuntu. We do not allow anonymous LDAP queries but rather > > configure /etc/pam_ldap.conf with a binddn and bindpw. > > > > Our LDAP queries are failing and, when we look at the access logs on our > > CentOS Directory Server 8.1, we see the binddn is empty: > > > Hi > > on my debian system I have a couple of packages installed to handle ldap > userid db. > > pam handles one side of it but you need the nss stuff as well. There > are 2 sets of packages, the one I use (I like it better - works how I > like it to work and seems to be getting active maintenance). > > nslcd and with this you will need libnss-ldapd & libpam-ldapd they both > need config files in /etc libnss-ldap and libpam-ldap are installed. I do not see a packaged named nslcd unless it's a typo for nscd which is installed as well. > > > [snip] > > > > > pam_ldap.conf looks like this: > > > > [snip] > > you need to look at the nss config file as well Do you mean nsswitch.conf? If so, we did address that - files ldap for passwd, group, and shadow. > > > We could very likely have a missing package. This is a vserver and they > > install a very skeleton base system. For example, the system initially > > did not query at all until we realized we needed to install passwd. > > This is an X2Go print server (hopefully many desktops to come > > immediately after!) so we have installed: > > [snip] > > > maybe you are missing stuff, like the nss ldap package. getent passwd > should show you all your users work from there and then getent group getent passwd only shows local users > > > > did we do wrong? Any help would be greatly appreciated as I've lost days > > tracking this down with no answer. Thanks - John Still eagerly looking for hints and suggestions. Thanks - John -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Predrag Gavrilovic on 10 Feb 2010 15:40 I believe you shold set "rootbinddn" and "rootpw" in pam_ldap.conf. That's what's used when lookup is done by process with effective user id is 0. On Wed, Feb 10, 2010 at 5:07 PM, John A. Sullivan III <jsullivan(a)opensourcedevel.com> wrote: > Hello, all.  We have just started to explore Debian Lenny as a platform > and have been delightfully impressed however we're hitting a problem > using LDAP authentication that we have not experienced in RedHat or > Ubuntu.  We do not allow anonymous LDAP queries but rather > configure /etc/pam_ldap.conf with a binddn and bindpw. > > Our LDAP queries are failing and, when we look at the access logs on our > CentOS Directory Server 8.1, we see the binddn is empty: > > [10/Feb/2010:10:01:47 -0500] conn=52684 fd=74 slot=74 connection from 172.29.2.8 to 172.30.10.49 > [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 BIND dn="" method=128 version=3 > [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=debian-xfs))" attrs=ALL > [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 RESULT err=0 tag=101 nentries=0 etime=0 > [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=debian-xfs))" attrs="gidNumber" > [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=U > [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=nobody))" attrs=ALL > [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 RESULT err=0 tag=101 nentries=0 etime=0 > [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=nobody))" attrs="gidNumber" > [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 RESULT err=0 tag=101 nentries=0 etime=0 notes=U > > pam_ldap.conf looks like this: > > base dc=ssiservices,dc=biz > uri ldap://ldap02.ssiservices.biz/ > ldap_version 3 > binddn uid=someid,dc=ssiservices,dc=biz > bindpw somelongpassword > #rootbinddn cn=manager,dc=padl,dc=com > > We have disabled SSL for now. > > nsswitch.conf looks like: > passwd:     files ldap > group:      files ldap > shadow:     files ldap > > We could very likely have a missing package.  This is a vserver and they > install a very skeleton base system.  For example, the system initially > did not query at all until we realized we needed to install passwd. > This is an X2Go print server (hopefully many desktops to come > immediately after!) so we have installed: > > apt-get install locales less joe cups-x2go openssh-client cups > foomatic-db-gutenprint gutenprint-locales openprinting-ppds > cups-driver-gutenprint cups-pdf foomatic-db foomatic-filters openssl > libnss-ldap libpam-ldap nscd libpam-cracklib passwd > > Here is how we set up pam and nscd: > > edit /etc/pam.d/common-account to read: > account   required    pam_unix.so > account   sufficient   pam_succeed_if.so uid < 1000 quiet > account   [default=bad success=ok user_unknown=ignore] pam_ldap.so > account   required    pam_permit.so > > edit /etc/pam.d/common-session so  it reads: > session   required    pam_limits.so > session   required    pam_unix.so > session   optional    pam_ldap.so > > edit /etc/pam.d/common-password so it reads: > password  sufficient  pam_ldap.so > password  required  pam_unix.so nullok obscure md5 > password   required    pam_deny.so > > edit /etc/pam.d/common-auth so it reads: > auth   sufficient    pam_unix.so nullok_secure > auth   requisite    pam_succeed_if.so uid >= 1000 quiet > auth   sufficient    pam_ldap.so use_first_pass > auth   required     pam_deny.so > > Edit /etc/nscd.conf to change the group positive cache limit > (positive-time-to-live) to 600 seconds from the default 3600. > > We've restarted the vserver several times to be sure.  Even something as > simple is id <some user> fails and we see the empty DN.  If we download > ldap-utils and do an ldapsearch, queries succeed using the parameters > given above in pam_ldap.conf.  An almost identical setup works in both > CentOS 5.0.4 and Ubuntu Hardy.  What is different with Debian and what > did we do wrong? Any help would be greatly appreciated as I've lost days > tracking this down with no answer.  Thanks - John > > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian..org > > -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Alex Samad on 10 Feb 2010 16:00
On Wed, Feb 10, 2010 at 03:27:25PM -0500, John A. Sullivan III wrote: > Thanks for the quick response. I'll answer in the text below - John > > On Thu, 2010-02-11 at 06:42 +1100, Alex Samad wrote: > > On Wed, Feb 10, 2010 at 11:07:05AM -0500, John A. Sullivan III wrote: > > > Hello, all. We have just started to explore Debian Lenny as a platform > > > and have been delightfully impressed however we're hitting a problem > > > using LDAP authentication that we have not experienced in RedHat or > > > Ubuntu. We do not allow anonymous LDAP queries but rather > > > configure /etc/pam_ldap.conf with a binddn and bindpw. > > > > > > Our LDAP queries are failing and, when we look at the access logs on our > > > CentOS Directory Server 8.1, we see the binddn is empty: > > > > > Hi > > > > on my debian system I have a couple of packages installed to handle ldap > > userid db. > > > > pam handles one side of it but you need the nss stuff as well. There > > are 2 sets of packages, the one I use (I like it better - works how I > > like it to work and seems to be getting active maintenance). > > > > nslcd and with this you will need libnss-ldapd & libpam-ldapd they both > > need config files in /etc > libnss-ldap and libpam-ldap are installed. I do not see a packaged > named nslcd unless it's a typo for nscd which is installed as well. no nslcd is not a typo, like I said there are 2 streams/groups of packages for pam integration you have the !older! ones. have a look at nslcd and its partner packages I have found them to more stable. > > > > > > [snip] > > > > > > > > pam_ldap.conf looks like this: > > > > > > > [snip] > > > > you need to look at the nss config file as well > Do you mean nsswitch.conf? If so, we did address that - files ldap for > passwd, group, and shadow. nope this file /etc/nss-ldapd.conf used for the nss side of things which is what getent uses and tools like nsswitch, glibc & whoami > > > > > We could very likely have a missing package. This is a vserver and they > > > install a very skeleton base system. For example, the system initially > > > did not query at all until we realized we needed to install passwd. > > > This is an X2Go print server (hopefully many desktops to come > > > immediately after!) so we have installed: > > > > [snip] > > > > > > maybe you are missing stuff, like the nss ldap package. getent passwd > > should show you all your users work from there and then getent group > getent passwd only shows local users as per above > > > > > > > did we do wrong? Any help would be greatly appreciated as I've lost days > > > tracking this down with no answer. Thanks - John > Still eagerly looking for hints and suggestions. Thanks - John have a look at the nslcd package and the authors web page - why he created this package (a fork of the original stuff) > > > -- "I recently met with the finance minister of the Palestinian Authority, was very impressed by his grasp of finances." - George W. Bush 05/29/2003 Washington, DC |