RE: Re: ssh connection to an ldap server

From: fatima riadi (ftmriadi_at_yahoo.fr)
Date: 03/21/05

  • Next message: Aman Raheja: "Re: Maximum Authentication Tries"
    Date: Mon, 21 Mar 2005 16:57:54 +0100 (CET)
    To: "Tay, Gary" <Gary_Tay@platts.com>
    
    

     --- "Tay, Gary" <Gary_Tay@platts.com> a écrit :
    > If you suspect pam_ldap, show us the
    > /etc/nsswitch.conf and /etc/pam.d/system-auth and/or
    > /etc/pam.d/sshd.
    >
    ======================================================
    Here is my slapd.conf file content:

    include /etc/openldap/schema/core.schema
    include /etc/openldap/schema/cosine.schema
    include /etc/openldap/schema/inetorgperson.schema
    include /etc/openldap/schema/nis.schema
    include /etc/openldap/schema/samba.schema
    include
    /etc/openldap/schema/redhat/rfc822-MailMember.schema
    include /etc/openldap/schema/redhat/autofs.schema

    # Allow LDAPv2 client connections. This is NOT the
    default.
    allow bind_v2

    # Do not enable referrals until AFTER you have a
    working directory
    # service AND an understanding of referrals.
    #referral ldap://root.openldap.org

    pidfile /var/run/slapd.pid
    #argsfile //var/run/slapd.args

    access to attr=userPassword
            by self write
            by * auth
    access to dn="ou=users,dc=example,dc=com"
            by self write
            by dn="cn=nssldap,ou=DSA,dc=example,dc=com" read
            by users auth
            by anonymous read
    access to * by self write
            by * read

    #######################################################################
    # ldbm and/or bdb database definitions
    #######################################################################

    database ldbm
    suffix "dc=example,dc=com"
    rootdn "cn=Manager,dc=example,dc=com"
    rootpw {SSHA}Cu0mazfs7JKjmJaCrZQszD1G7ijRpIKO

    # The database directory MUST exist prior to running
    slapd AND
    # should only be accessible by the slapd and slap
    tools.
    # Mode 700 recommended.
    directory /var/lib/ldap

    # Indices to maintain for this database
    index objectClass eq,pres
    index ou,cn,mail,surname,givenname eq,pres,sub
    index uidNumber,gidNumber,loginShell eq,pres
    index uid,memberUid eq,pres,sub
    index nisMapName,nisMapEntry eq,pres,sub
    index sambaSID,sambaDomainName,sambaPrimaryGroupSID
    eq
    ======================================================
    /etc/pam.d/sshd

    #%PAM-1.0
    auth required pam_stack.so
    service=system-auth
    auth required pam_nologin.so
    account required pam_stack.so
    service=system-auth
    password required pam_stack.so
    service=system-auth
    session required pam_stack.so
    service=system-auth
    session required pam_limits.so
    session optional pam_console.so
    ======================================================
      
    > pam_ldap works with nss_ldap, also show
    > /etc/ldap.conf.

    And this is my /etc/ldap.conf file:

    # Your LDAP server. Must be resolvable without using
    LDAP.
    host 127.0.0.1

    # The distinguished name of the search base.
    base dc=example,dc=com

    # Another way to specify your LDAP server is to
    provide an
    # uri with the server name. This allows to use
    # Unix Domain Sockets to connect to a local LDAP
    Server.
    #uri ldap://127.0.0.1/
    #uri ldaps://127.0.0.1/
    #uri ldapi://%2fvar%2frun%2fldapi_sock/
    # Note: %2f encodes the '/' used as directory
    separator

    # The LDAP version to use (defaults to 3
    # if supported by client library)
    #ldap_version 3

    # The distinguished name to bind to the server with.
    # Optional: default is to bind anonymously.
    #binddn cn=exampleuser,dc=example,dc=com

    # The credentials to bind with.
    # Optional: default is no credential.
    #bindpw secret

    # The distinguished name to bind to the server with
    # if the effective user ID is root. Password is
    # stored in /etc/ldap.secret (mode 600)
    rootbinddn cn=nssldap,ou=DSA,dc=example,dc=com

    # The port.
    # Optional: default is 389.
    #port 389

    # The search scope.
    #scope sub
    #scope one
    #scope base

    # Search timelimit
    #timelimit 30

    # Bind timelimit
    #bind_timelimit 30

    # Idle timelimit; client will close connections
    # (nss_ldap only) if the server has not been contacted
    # for the number of seconds specified below.
    #idle_timelimit 3600

    # Filter to AND with uid=%s
    #pam_filter objectclass=account

    # The user ID attribute (defaults to uid)
    #pam_login_attribute uid

    # Search the root DSE for the password policy (works
    # with Netscape Directory Server)
    #pam_lookup_policy yes

    # Check the 'host' attribute for access control
    # Default is no; if set to yes, and user has no
    # value for the host attribute, and pam_ldap is
    # configured for account management (authorization)
    # then the user will not be allowed to login.
    #pam_check_host_attr yes

    # Group to enforce membership of
    #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

    # Group member attribute
    #pam_member_attribute uniquemember

    # Specify a minium or maximum UID number allowed
    #pam_min_uid 0
    #pam_max_uid 0

    # Template login attribute, default template user
    # (can be overriden by value of former attribute
    # in user's entry)
    #pam_login_attribute userPrincipalName
    #pam_template_login_attribute uid
    #pam_template_login nobody

    # HEADS UP: the pam_crypt, pam_nds_passwd,
    # and pam_ad_passwd options are no
    # longer supported.

    # Do not hash the password at all; presume
    # the directory server will do it, if
    # necessary. This is the default.
    #pam_password clear

    # Hash password locally; required for University of
    # Michigan LDAP server, and works with Netscape
    # Directory Server if you're using the UNIX-Crypt
    # hash mechanism and not using the NT Synchronization
    # service.
    #pam_password crypt

    # Remove old password first, then update in
    # cleartext. Necessary for use with Novell
    # Directory Services (NDS)
    #pam_password nds

    # Update Active Directory password, by
    # creating Unicode password and updating
    # unicodePwd attribute.
    #pam_password ad

    # Use the OpenLDAP password change
    # extended operation to update the password.
    #pam_password exop

    # RFC2307bis naming contexts
    # Syntax:
    # nss_base_XXX base?scope?filter
    # where scope is {base,one,sub}
    # and filter is a filter to be &'d with the
    # default filter.
    # You can omit the suffix eg:
    # nss_base_passwd ou=People,
    # to append the default base DN but this
    # may incur a small performance impact.
    #nss_base_passwd ou=People,dc=example,dc=com?one
    #nss_base_shadow ou=People,dc=example,dc=com?one
    #nss_base_group ou=Group,dc=example,dc=com?one
    #nss_base_hosts ou=Hosts,dc=example,dc=com?one
    #nss_base_services ou=Services,dc=example,dc=com?one
    #nss_base_networks ou=Networks,dc=example,dc=com?one
    #nss_base_protocols ou=Protocols,dc=example,dc=com?one
    #nss_base_rpc ou=Rpc,dc=example,dc=com?one
    #nss_base_ethers ou=Ethers,dc=example,dc=com?one
    #nss_base_netmasks ou=Networks,dc=example,dc=com?ne
    #nss_base_bootparams ou=Ethers,dc=example,dc=com?one
    #nss_base_aliases ou=Aliases,dc=example,dc=com?one
    #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
    nss_base_passwd dc=example,dc=com?sub
    nss_base_shadow dc=example,dc=com?sub
    nss_base_group ou=groups,dc=example,dc=com?one

    # attribute/objectclass mapping
    # Syntax:
    #nss_map_attribute rfc2307attribute mapped_attribute
    #nss_map_objectclass rfc2307objectclass
    mapped_objectclass

    # configure --enable-nds is no longer supported.
    # For NDS now do:
    #nss_map_attribute uniqueMember member

    # configure --enable-mssfu-schema is no longer
    supported.
    # For MSSFU now do:
    #nss_map_objectclass posixAccount User
    #nss_map_attribute uid msSFUName
    #nss_map_attribute uniqueMember posixMember
    #nss_map_attribute userPassword msSFUPassword
    #nss_map_attribute homeDirectory msSFUHomeDirectory
    #nss_map_objectclass posixGroup Group
    #pam_login_attribute msSFUName
    #pam_filter objectclass=User
    #pam_password ad

    # configure --enable-authpassword is no longer
    supported
    # For authPassword support, now do:
    #nss_map_attribute userPassword authPassword
    #pam_password nds

    # For IBM SecureWay support, do:
    #nss_map_objectclass posixAccount aixAccount
    #nss_map_attribute uid userName
    #nss_map_attribute gidNumber gid
    #nss_map_attribute uidNumber uid
    #nss_map_attribute userPassword passwordChar
    #nss_map_objectclass posixGroup aixAccessGroup
    #nss_map_attribute cn groupName
    #nss_map_attribute uniqueMember member
    #pam_login_attribute userName
    #pam_filter objectclass=aixAccount
    #pam_password clear

    # Netscape SDK LDAPS
    #ssl on

    # Netscape SDK SSL options
    #sslpath /etc/ssl/certs/cert7.db

    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS
    typically 636
    #ssl start_tls
    #ssl on

    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    # Default is "no"
    #tls_checkpeer yes

    # CA certificates for server certificate verification
    # At least one of these are required if tls_checkpeer
    is "yes"
    #tls_cacertfile /etc/ssl/ca.cert
    #tls_cacertdir /etc/ssl/certs

    # SSL cipher suite
    # See man ciphers for syntax
    #tls_ciphers TLSv1

    # Client certificate and key
    # Use these, if your server requires client
    authentication.
    #tls_cert
    #tls_key
    ssl no
    pam_password md5
    ======================================================

    So, whad may you suggest please?

    Thank you a lot for your help.

     
    > -----Original Message-----
    > From: fatima riadi [mailto:ftmriadi@yahoo.fr]
    > Sent: Mon 3/21/2005 8:01 PM
    > To: Tay, Gary
    > Cc:
    > Subject: RE: Re: ssh connection to an ldap server
    >
    >
    >
    > Hi,
    >
    > Thank you Gary for your reply.
    >
    > I added ACLs you suggested me. However, the problem
    > could not be resolved.
    >
    > I checked my /var/log/messages file, it shows:
    > sshd(pam_unix)[1574]: check pass; user unknown
    > sshd(pam_unix)[1574]: authentication failure;
    > logname= uid=0 euid=0 tty=NODEVssh ruser=
    > rhost=my_srv
    > sshd[1574]: pam_ldap: error trying to bind
    > (Server
    > is unwilling to perform)
    >
    > So, I think that the problem is related to
    > pam_ldap.
    >
    > You would have any suggestion, please, let me know.
    >
    > Regards
    >
    > --- "Tay, Gary" <Gary_Tay@platts.com> a écrit :
    > > I think this may be due to the non-existence of
    > > ACLs.
    > >
    > > Try adding these to slapd.conf and restarting
    > slapd
    > > after that:
    > >
    > > access to attr=userPassword
    > > by self write
    > > by * auth
    > > access to dn="ou=People,dc=example,dc=com"
    > > by self write
    > > by
    > > dn="cn=proxyagent,ou=profile,dc=example,dc=com"
    > read
    > > by users auth
    > > by anonymous read
    > > access to * by self write
    > > by * read
    > >
    > > You may find my HOWTO useful:
    > > http://web.singnet.com.sg/~garyttt/
    > >
    > > Gary
    > >
    > > -----Original Message-----
    > > From: fatima riadi [mailto:ftmriadi@yahoo.fr]
    > > Sent: Saturday, March 19, 2005 4:08 AM
    > > To: secureshell@securityfocus.com
    > > Subject: Re: Re: ssh connection to an ldap server
    > >
    > >
    > > Hello,
    > >
    > > I am using OpenSSH_3.5p1, SSH protocols 1.5/2.0,
    > > OpenSSL 0x0090701f on a Linux Red Hat 9.0 server.
    > >
    > > here is a debug output of a failed connection:
    > >
    > > [root@SrvRedHat downloads]# ssh -vvv
    > > testuser@localhost
    > > OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL
    > > 0x0090701f
    > > debug1: Reading configuration data
    > > /etc/ssh/ssh_config
    > > debug1: Applying options for *
    > > debug1: Rhosts Authentication disabled,
    > originating
    > > port will not be trusted.
    > > debug1: ssh_connect: needpriv 0
    > > debug1: Connecting to localhost [127.0.0.1] port
    > 22.
    > > debug1: Connection established.
    > > debug1: identity file /root/.ssh/identity type -1
    > > debug1: identity file /root/.ssh/id_rsa type -1
    > > debug1: identity file /root/.ssh/id_dsa type -1
    > > debug1: Remote protocol version 1.99, remote
    > > software
    > > version OpenSSH_3.5p1
    > > debug1: match: OpenSSH_3.5p1 pat OpenSSH*
    > > debug1: Enabling compatibility mode for protocol
    > 2.0
    > > debug1: Local version string
    > SSH-2.0-OpenSSH_3.5p1
    > > debug1: SSH2_MSG_KEXINIT sent
    > > debug1: SSH2_MSG_KEXINIT received
    > > debug2: kex_parse_kexinit:
    > >
    >
    >
    diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    > > debug2: kex_parse_kexinit:
    > >
    >
    >
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
    > > debug2: kex_parse_kexinit:
    > >
    >
    >
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
    > > debug2: kex_parse_kexinit:
    > >
    >
    >
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    > > debug2: kex_parse_kexinit:
    > >
    >
    >
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    > > debug2: kex_parse_kexinit: none,zlib
    > > debug2: kex_parse_kexinit: none,zlib
    > > debug2: kex_parse_kexinit:
    > > debug2: kex_parse_kexinit:
    > > debug2: kex_parse_kexinit: first_kex_follows 0
    > > debug2: kex_parse_kexinit: reserved 0
    > > debug2: kex_parse_kexinit:
    > >
    >
    >
    diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    > > debug2: kex_parse_kexinit:
    > >
    >
    >
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
    > > debug2: kex_parse_kexinit:
    > >
    >
    >
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
    > > debug2: kex_parse_kexinit:
    > >
    >
    >
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    > > debug2: kex_parse_kexinit:
    > >
    >
    >
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    > > debug2: kex_parse_kexinit: none,zlib
    > > debug2: kex_parse_kexinit: none,zlib
    > > debug2: kex_parse_kexinit:
    > > debug2: kex_parse_kexinit:
    > > debug2: kex_parse_kexinit: first_kex_follows 0
    > > debug2: kex_parse_kexinit: reserved 0
    > > debug2: mac_init: found hmac-md5
    > > debug1: kex: server->client aes128-cbc hmac-md5
    > none
    > > debug2: mac_init: found hmac-md5
    > > debug1: kex: client->server aes128-cbc hmac-md5
    > none
    > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
    > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    > > debug1: dh_gen_key: priv key bits set: 151/256
    > > debug1: bits set: 1626/3191
    > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    > > debug3: check_host_in_hostfile: filename
    > > /root/.ssh/known_hosts
    > > debug3: check_host_in_hostfile: match line 1
    > > debug1: Host 'localhost' is known and matches the
    > > RSA
    > > host key.
    > > debug1: Found key in /root/.ssh/known_hosts:1
    > > debug1: bits set: 1606/3191
    > > debug1: ssh_rsa_verify: signature correct
    > > debug1: kex_derive_keys
    > > debug1: newkeys: mode 1
    > > debug1: SSH2_MSG_NEWKEYS sent
    > > debug1: waiting for SSH2_MSG_NEWKEYS
    > > debug1: newkeys: mode 0
    > > debug1: SSH2_MSG_NEWKEYS received
    > > debug1: done: ssh_kex2.
    > > debug1: send SSH2_MSG_SERVICE_REQUEST
    > > debug1: service_accept: ssh-userauth
    > > debug1: got SSH2_MSG_SERVICE_ACCEPT
    > > debug1: authentications that can continue:
    > > publickey,password,keyboard-interactive
    > > debug3: start over, passed a different list
    > > publickey,password,keyboard-interactive
    > > debug3: preferred
    > > publickey,keyboard-interactive,password
    > > debug3: authmethod_lookup publickey
    > > debug3: remaining preferred:
    >
    === message truncated ===

            

            
                    
    Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !
    Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/


  • Next message: Aman Raheja: "Re: Maximum Authentication Tries"

    Relevant Pages