Well I managed to get my sudo working through ldap. Thanks to all who have helped! But for any of the services that need to authenticate through pam (i.e. ssh and su) it is still a no-go. I am getting pam authentication errors in my log files.
But LDAP is certainly doing it's job!
Using the account I have setup in LDAP as the pam user I can search my base DN:
And this is the entry I have in my LDAP database for the pam_ldap user:
So far so good, everything works.
However, this is how I have my ldap.conf file setup:
( I have also tried setting the host to 127.0.0.1 as well, with no joy)
And observe what happens if I try to su using pam/ldap
ssh has roughly the same effect on the logs but in order for me to demonstrate that I would likely have to gain physical access to the box to fix it. So hopefully the above example will suffice.
This is how my pam su file is configured:
I assume that whatever is breaking su is breaking ssh. Does anyone have any ideas as to why slapd cannot access the pam_ldap account user automatically through /usr/local/etc/ldap.conf? x(
But LDAP is certainly doing it's job!
Using the account I have setup in LDAP as the pam user I can search my base DN:
Code:
[bluethundr@bluethundr-desktop:~ ] $:ldapsearch -x -h ldap -D "cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" -w secret -b "dc=summitnjhome,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=summitnjhome,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# summitnjhome.com
dn: dc=summitnjhome,dc=com
dc: summitnjhome
objectClass: dcObject
objectClass: organization
o: Summit NJ Home
# staff, summitnjhome.com
dn: ou=staff,dc=summitnjhome,dc=com
ou: staff
objectClass: organizationalUnit
# summitnjops, staff, summitnjhome.com
dn: ou=summitnjops,ou=staff,dc=summitnjhome,dc=com
ou: summitnjops
objectClass: organizationalUnit
# people, summitnjhome.com
dn: ou=people,dc=summitnjhome,dc=com
objectClass: organizationalUnit
ou: people
# Services, summitnjhome.com
dn: ou=Services,dc=summitnjhome,dc=com
ou: services
objectClass: organizationalUnit
# pam_ldap, Services, summitnjhome.com
dn: cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword:: e1NTSEF9K2NsWktBUXVDWEhkbjVBcVRDbFVMb0ROZVcvelltelIg
# sudoers, Services, summitnjhome.com
dn: ou=sudoers,ou=Services,dc=summitnjhome,dc=com
ou: sudoers
objectClass: organizationalUnit
# defaults, sudoers, Services, summitnjhome.com
dn: cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
# root, sudoers, Services, summitnjhome.com
dn: cn=root,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
# %wheel, sudoers, Services, summitnjhome.com
dn: cn=%wheel,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
# %summitnjops, sudoers, Services, summitnjhome.com
dn: cn=%summitnjops,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: %summitnjops
sudoUser: %summitnjops
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
# search result
search: 2
result: 0 Success
# numResponses: 12
# numEntries: 11
And this is the entry I have in my LDAP database for the pam_ldap user:
Code:
5 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword: secret
So far so good, everything works.
However, this is how I have my ldap.conf file setup:
Code:
host ldap.summitnjhome.com
base dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
( I have also tried setting the host to 127.0.0.1 as well, with no joy)
And observe what happens if I try to su using pam/ldap
Code:
Oct 9 20:25:11 LBSD2 su: pam_ldap: error trying to bind (Invalid credentials)
Oct 9 20:25:11 LBSD2 su: pam_ldap: error trying to bind (Invalid credentials)
Oct 9 20:25:11 LBSD2 su: in _openpam_check_error_code(): pam_sm_acct_mgmt(): unexpected return value 11
Oct 9 20:25:11 LBSD2 su: bluethundr to root on /dev/pts/0
ssh has roughly the same effect on the logs but in order for me to demonstrate that I would likely have to gain physical access to the box to fix it. So hopefully the above example will suffice.
This is how my pam su file is configured:
Code:
LBSD2# cat /etc/pam.d/su
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient pam_ldap.so
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account sufficient pam_ldap.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_ldap.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
I assume that whatever is breaking su is breaking ssh. Does anyone have any ideas as to why slapd cannot access the pam_ldap account user automatically through /usr/local/etc/ldap.conf? x(