Solved ldap authentication problem (invalid user), no database lookup

Hi list,

I tried to follow http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/article.html all the way through on a pretty clean server.
I think it seemed to work until I tried to configure the LDAP server for samba too. But I'm not sure. The database I configured and can be accessed by e.g. phpldapadmin.

When I try to log in through SSH as tuser, nothing is logged in /var/log/slapd.log. On the other hand, /var/log/auth.log shows:
Code:
Connection from 192.168.1.31 port 48874
Apr  1 20:38:42 myserver sshd[2448]: Invalid user tuser from 192.168.1.31
Apr  1 20:38:42 myserver sshd[2450]: in openpam_dispatch(): pam_nologin.so: no pam_sm_authenticate()
Apr  1 20:38:54 myserver sshd[2448]: error: PAM: authentication error for illegal user tuser from ldap.mfl.dk
Apr  1 20:38:54 myserver sshd[2448]: Failed keyboard-interactive/pam for invalid user tuser from 192.168.1.31 port 48874 ssh2
Apr  1 20:38:54 myserver sshd[2451]: in openpam_dispatch(): pam_nologin.so: no pam_sm_authenticate()
Apr  1 20:38:58 myserver sshd[2448]: error: PAM: authentication error for illegal user tuser from ldap.mfl.dk
Apr  1 20:38:58 myserver sshd[2448]: Failed keyboard-interactive/pam for invalid user tuser from 192.168.1.31 port 48874 ssh2
Apr  1 20:38:58 myserver sshd[2452]: in openpam_dispatch(): pam_nologin.so: no pam_sm_authenticate()
Apr  1 20:39:00 myserver sshd[2448]: error: PAM: authentication error for illegal user tuser from ldap.mfl.dk
Apr  1 20:39:00 myserver sshd[2448]: Failed keyboard-interactive/pam for invalid user tuser from 192.168.1.31 port 48874 ssh2
I figure the following configuration files are the most essential:
Code:
/usr/local/etc/openldap/slapd.conf:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema
include		/usr/local/etc/openldap/schema/nis.schema
include		/usr/local/etc/openldap/schema/samba.schema

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

#loglevel 8
logfile /var/log/slapd.log
#loglevel 256
loglevel 512

security ssf=128
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap-server-one.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap-server-one.key
TLSCACertificateFile /usr/local/etc/openldap/ssl/root.crt
#TLSVerifyClient demand

# Load dynamic backend modules:
modulepath	/usr/local/libexec/openldap
moduleload	back_bdb

access to dn.subtree="ou=People,dc=example,dc=com"
  attrs=userPassword
  by self write
  by anonymous auth
  by * none

access to *
  by self write
  by * read

access to dn.subtree="ou=People,dc=example,dc=com"
  attrs=userPassword
  by self write
  by anonymous auth
  by * none

access to attrs=homeDirectory,uidNumber,gidNumber
  by * read

access to *
  by self write
  by * read

allow bind_v2 bind_anon_cred bind_anon_dn update_anon
#######################################################################
# BDB database definitions
#######################################################################
database	bdb
suffix dc=example,dc=com
rootdn cn=Manager,dc=example,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw		{SSHA}verysecret
directory	/var/db/openldap-data
# Indices to maintain
index	objectClass	eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   uid             pres,sub,eq
index   displayName     pres,sub,eq
index   uidNumber               eq
index   gidNumber               eq
index   memberUID               eq
index   sambaSID                eq
index   sambaPrimaryGroupSID    eq
index   sambaDomainName         eq
index   default                 sub
Code:
/usr/local/etc/openldap/ldap.conf:
BASE				dc=example,dc=com
URI				ldap://ldap.example.com
SSL 				START_TLS
TLS_CACERT 			/usr/local/etc/openldap/ssl/ldap-server-one.crt
TLSCACertificateFile		/usr/local/etc/openldap/ssl/root.crt
TLS_REQCERT			never
#PAM_LOGIN_ATTRIBUTE		uid
#NSS_INITGROUPS_IGNOREUSERS 	root,ldap
Code:
/usr/local/etc/ldap.conf:
BASE                    	dc=example,dc=com
URI                     	ldap://ldap.example.com
SSL                     	START_TLS
TLS_CACERT              	/usr/local/etc/openldap/ssl/ldap-server-one.crt
TLSCACertificateFile    	/usr/local/etc/openldap/ssl/root.crt
TLS_REQCERT             	never
#PAM_LOGIN_ATTRIBUTE		uid
#NSS_INITGROUPS_IGNOREUSERS 	root,ldap
Code:
/usr/local/nss_ldap.conf:
BASE                    	dc=example,dc=com
URI                     	ldap://ldap.example.com
SSL                     	START_TLS
TLS_CACERT              	/usr/local/etc/openldap/ssl/ldap-server-one.crt
TLSCACertificateFile    	/usr/local/etc/openldap/ssl/root.crt
TLS_REQCERT             	never
PAM_LOGIN_ATTRIBUTE		uid
#NSS_INITGROUPS_IGNOREUSERS 	root,ldap

nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_passwd ou=Computers,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=Groups,dc=example,dc=com?one
Code:
/etc/pam.d/sshd:
# auth
auth		required	pam_nologin.so			no_warn
auth		sufficient	pam_opie.so			no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so		no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so	no_warn
auth		required	pam_unix.so			no_warn try_first_pass

# account
account		required	pam_nologin.so
account		required	pam_login_access.so
account		required	pam_unix.so
account         required        /usr/local/lib/pam_ldap.so	no_warn ignore_authinfo_unavail ignore_unknown_user
# session
session		required	pam_permit.so

# password
password	required	pam_unix.so			no_warn try_first_pass
Code:
/etc/ssh/sshd_config:
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
RSAAuthentication no
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

#PasswordAuthentication no
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes

UsePAM yes

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server
IgnoreRhosts yes
IgnoreUserKnownHosts no
PrintMotd yes
StrictModes yes
PermitEmptyPasswords no
GatewayPorts no
AllowTcpForwarding yes
KeepAlive yes
Protocol 2
UsePrivilegeSeparation yes
LogLevel DEBUG
X11Forwarding no
SyslogFacility AUTH
ListenAddress 0.0.0.0
 
I'm at my work right now, so I can't connect to the actual server. But from another server running Webmin can I list the directory by executing
Code:
ldapsearch -Z:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Example.com
dn: dc=example,dc=com
dc: MFL
description: The Samba-3 Network LDAP Example
o: My organization
objectClass: dcObject
objectClass: organization
objectClass: top

# Manager, example.com
dn: cn=Manager,dc=example,dc=com
cn: Manager
description: Directory Manager
objectClass: organizationalRole
objectClass: top

# Computers, example.com
dn: ou=Computers,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Computers

# admin, Computers, example.com
dn: cn=admin,ou=Computers,dc=example,dc=com
cn: admin
objectClass: organizationalRole
objectClass: simpleSecurityObject
objectClass: top
userPassword:: verysecret

# mflserver3, Computers, example.com
dn: cn=mflserver3,ou=Computers,dc=example,dc=com
cn: mflserver3
displayName: mflserver3
gidNumber: 50002
homeDirectory: /dev/null
loginShell: /bin/false
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
objectClass: top
sambaAcctFlags: [W          ]
sambaDomainName: MFL
sambaNTPassword: verysecret
sambaPrimaryGroupSID: S-1-5-21-3159506878-3132055121-1276559673-515
sambaPwdLastSet: 1332688486
sambaSID: S-1-5-21-3159506878-3132055121-1276559673-101006
uid: mflserver3$
uidNumber: 50002
SNIP
So at least the server is running. I will try the same command from the actual server, when I'm back home.
 
Hi again,

It works from the server too. ;)
Code:
ldapsearch -Z:
...SNIP...
# search result
search: 3
result: 0 Success

# numResponses: 27
# numEntries: 26
 
If I look at that list I don't see any tuser account you used to test ssh(1). In that sense the error is correct, there is no user named tuser.
 
I didn't want to expose too much personal information. I have made a modified list from the output. As you can see, "tuser" does exist. But I think the structure seems strange. I wonder if phpMyAdmin or LDAP Account Manager have made some changes (on "their own").
Code:
ldapsearch -Z (modified):
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# EXAMPLE.com
dn: dc=EXAMPLE,dc=com
dc: EXAMPLE
description: The Samba-3 Network LDAP Example
o: Aegirsgade 12 med flere
objectClass: dcObject
objectClass: organization
objectClass: top

# Manager, example.com
dn: cn=Manager,dc=example,dc=com
cn: Manager
description: Directory Manager
objectClass: organizationalRole
objectClass: top

# Computers, example.com
dn: ou=Computers,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Computers

# admin, Computers, example.com
dn: cn=admin,ou=Computers,dc=example,dc=com
cn: admin
objectClass: organizationalRole
objectClass: simpleSecurityObject
objectClass: top
userPassword:: verysecret

# mflserver3, Computers, example.com
dn: cn=mflserver3,ou=Computers,dc=example,dc=com
cn: mflserver3
displayName: mflserver3
gidNumber: 50002
homeDirectory: /dev/null
loginShell: /bin/false
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
objectClass: top
sambaAcctFlags: [W          ]
sambaDomainName: DOMAIN
sambaNTPassword: verysecret
sambaPrimaryGroupSID: S-1-5-21-3159506878-3132055121-1276559673-515
sambaPwdLastSet: 1332688486
sambaSID: S-1-5-21-3159506878-3132055121-1276559673-101006
uid: mflserver3$
uidNumber: 50002

# mflserver2$, Computers, example.com
dn: uid=mflserver2$,ou=Computers,dc=example,dc=com
cn: mflserver2
description: mflserver2
displayName: mflserver2
gidNumber: 50001
homeDirectory: /dev/null
loginShell: /bin/false
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
objectClass: top
sambaAcctFlags: [W          ]
sambaDomainName: DOMAIN
sambaNTPassword: verysecret
sambaPrimaryGroupSID: S-1-5-21-3159506878-3132055121-1276559673-515
sambaPwdLastSet: 1332691271
sambaSID: S-1-5-21-3159506878-3132055121-1276559673-103222
uid: mflserver2$
uidNumber: 50001

# Groups, example.com
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
objectClass: organizationalRole
objectClass: simpleSecurityObject
objectClass: top
userPassword:: verysecret=

# ajjacobsen, Groups, example.com
dn: cn=ajjacobsen,ou=Groups,dc=example,dc=com
cn: ajjacobsen
gidNumber: 10004
objectClass: posixGroup
objectClass: top

# best, Groups, example.com
dn: cn=best,ou=Groups,dc=example,dc=com
cn: best
description: bestyrelsesmedlemmer
displayName: Bestyrelsesmedlemmer
gidNumber: 10006
memberUid: IHHansen
memberUid: jtheilnielsen
memberUid: mfladmin
objectClass: sambaGroupMapping
objectClass: posixGroup
objectClass: top
sambaGroupType: 2
sambaSID: S-1-5-21-3159506878-3132055121-1276559673-21001

# IHHansen, Groups, example.com
dn: cn=IHHansen,ou=Groups,dc=example,dc=com
cn: IHHansen
gidNumber: 10003
objectClass: posixGroup
objectClass: top

# jtheilnielsen, Groups, example.com
dn: cn=jtheilnielsen,ou=Groups,dc=example,dc=com
cn: jtheilnielsen
gidNumber: 10002
objectClass: posixGroup
objectClass: top

# mfl, Groups, example.com
dn: cn=mfl,ou=Groups,dc=example,dc=com
cn: mfl
description: Brugere
displayName: Brugere
gidNumber: 10005
memberUid: IHHansen
memberUid: jtheilnielsen
memberUid: ajjacobsen
memberUid: mfladmin
objectClass: sambaGroupMapping
objectClass: posixGroup
objectClass: top
sambaGroupType: 2
sambaSID: S-1-5-21-3159506878-3132055121-1276559673-21011

# mfladmin, Groups, example.com
dn: cn=mfladmin,ou=Groups,dc=example,dc=com
cn: mfladmin
description: Admins group
gidNumber: 10001
memberUid: mfladmin
objectClass: sambaGroupMapping
objectClass: posixGroup
objectClass: top
sambaGroupType: 2
sambaSID: S-1-5-21-3159506878-3132055121-1276559673-512

# wheel, Groups, example.com
dn: cn=wheel,ou=Groups,dc=example,dc=com
cn: wheel
description: Admin group
gidNumber: 10000
memberUid: mfladmin
objectClass: posixGroup
objectClass: top

# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

# admin, People, example.com
dn: cn=admin,ou=People,dc=example,dc=com
cn: admin
objectClass: organizationalRole
objectClass: simpleSecurityObject
objectClass: top

# mfladmin, People, example.com
dn: uid=mfladmin,ou=People,dc=example,dc=com
cn: My Full Name
description: Administrator account
gidNumber: 10001
givenName: Jon Theil
homeDirectory: /home/mfladmin
loginShell: /bin/csh
objectClass: sambaSamAccount
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sambaAcctFlags: [XU         ]
sambaDomainName: DOMAIN
sambaHomeDrive: H:
sambaHomePath: \\mflserver\%u
sambaKickoffTime: 1893452400
sambaNTPassword: verysecret
sambaPrimaryGroupSID: S-1-5-21-3159506878-3132055121-1276559673-513
sambaPwdLastSet: 1333126633
sambaSID: S-1-5-21-3159506878-3132055121-1276559673-21004
shadowExpire: 21914
shadowInactive: 10
shadowLastChange: 15429
shadowMax: 0
shadowMin: 0
shadowWarning: 10
sn: Nielsen
uid: mfladmin
uidNumber: 10001

# root, People, example.com
dn: uid=root,ou=People,dc=example,dc=com
cn: My Full Name
description: Root accont
displayName: root
gidNumber: 10000
givenName: Jon Theil
homeDirectory: /root/
initials: JTN
loginShell: /bin/csh
objectClass: sambaSamAccount
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sambaAcctFlags: [XU         ]
sambaDomainName: DOMAIN
sambaHomeDrive: H:
sambaHomePath: \\mflserver\%u
sambaKickoffTime: 1893452400
sambaSID: S-1-5-21-3159506878-3132055121-1276559673-21000
shadowExpire: 21914
shadowInactive: 10
shadowMax: 0
shadowMin: 0
shadowWarning: 10
sn: Nielsen
uid: root
uidNumber: 10000
sambaPrimaryGroupSID: S-1-5-21-3159506878-3132055121-1276559673-512
sambaNTPassword: verysecret
sambaPwdLastSet: 0
shadowLastChange: 15430

# tuser, People, example.com
dn: uid=tuser,ou=People,dc=example,dc=com
cn: Test User
displayName: Test user
gidNumber: 10005
givenName: Test
homeDirectory: /home/tuser
initials: TU
loginShell: /bin/csh
objectClass: sambaSamAccount
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sambaAcctFlags: [XU         ]
sambaDomainName: DOMAIN
sambaHomeDrive: H:
sambaHomePath: \\mflserver\%u
sambaKickoffTime: 1893452400
sambaNTPassword: verysecret
sambaPrimaryGroupSID: S-1-5-21-3159506878-3132055121-1276559673-513
sambaSID: S-1-5-21-3159506878-3132055121-1276559673-21198
shadowExpire: 21914
shadowInactive: 10
shadowMax: 0
shadowMin: 0
shadowWarning: 10
sn: User
uid: tuser
uidNumber: 10099
shadowLastChange: 15431
sambaPwdLastSet: 1333296684

# DOMAIN, example.com
dn: sambaDomainName=DOMAIN,dc=example,dc=com
objectClass: sambaDomain
objectClass: top
sambaAlgorithmicRidBase: 1000
sambaDomainName: DOMAIN
sambaLockoutDuration: 120
sambaLockoutObservationWindow: 1800
sambaLockoutThreshold: 5
sambaMinPwdLength: 6
sambaPwdHistoryLength: 0
sambaSID: S-1-5-21-3159506878-3132055121-1276559673

# jtheilnielsen, People, example.com
dn: uid=jtheilnielsen,ou=People,dc=example,dc=com
cn: Jon Theil Nielsen
description: System administrator
displayName:: SsOzbiBUaGVpbCBOaWVsc2Vu
gidNumber: 10002
givenName: Jon Theil
homeDirectory: /home/jtheilnielsen
homePhone: +4535830501
initials: JTN
l: Copenhagen
loginShell: /bin/csh
mail: jontheil@gmail.com
mobile: +4522270720
objectClass: inetOrgPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: top
objectClass: organizationalPerson
postalAddress:: w4ZnaXJzZ2FkZSAxMiAyLnRoDQoyMjAwIEvDuGJlbmhhdm4gTg0KRGVubWFyaw
 ==
postalCode: 2200
sambaAcctFlags: [XU         ]
sambaDomainName: DOMAIN
sambaHomePath: \\mflserver2\jtheilnielsen
sambaNTPassword: verysecret
sambaPrimaryGroupSID: S-1-5-21-3159506878-3132055121-1276559673-513
sambaPwdLastSet: 1333126395
sambaSID: S-1-5-21-3159506878-3132055121-1276559673-512
shadowLastChange: 15429
sn: Nielsen
street:: w4ZnaXJzZ2FkZSAxMg==
title: Cand. Scient
uid: jtheilnielsen
uidNumber: 10002

# DOMAINSERVER4, example.com
dn: sambaDomainName=DOMAINSERVER4,dc=example,dc=com
sambaDomainName: DOMAINSERVER4
sambaSID: S-1-5-21-3168642497-967151543-1242939945
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0

# Idmap, example.com
dn: ou=Idmap,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Idmap

# search result
search: 3
result: 0 Success

# numResponses: 27
# numEntries: 26
 
Try removing the ACLs from slapd.conf. There are a few doubles in there and some I'm not sure about at all. Remove them all, test it. Then add the one to make the passwords hidden. Leave the rest open.
 
I commented all ACL'S and the line
Code:
allow bind_v2 bind_anon_cred bind_anon_dn update_anon
that I don't know what exactly does.
I took me almost five minutes to restart the server and the /var/log/slapd.log showed:
Code:
Apr  2 16:01:12 mflserver4 slapd[57765]: slapd stopped.
Apr  2 16:01:12 mflserver4 slapd[57877]: @(#) $OpenLDAP: slapd 2.4.26 (Mar 30 2012 23:29:52)
 $  root@mflserver4.mfl.dk:/usr/ports/net/openldap24-server/work/openldap-2.4.26/servers/slapd
Apr  2 16:01:12 mflserver4 slapd[57877]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Apr  2 16:01:16 mflserver4 slapd[57877]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Apr  2 16:01:24 mflserver4 slapd[57877]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Apr  2 16:01:40 mflserver4 slapd[57877]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Apr  2 16:02:12 mflserver4 slapd[57877]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Apr  2 16:03:16 mflserver4 slapd[57877]: nss_ldap: could not search LDAP server - Server is unavailable
Apr  2 16:03:16 mflserver4 slapd[57877]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Apr  2 16:03:20 mflserver4 slapd[57877]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Apr  2 16:03:28 mflserver4 slapd[57877]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Apr  2 16:03:44 mflserver4 slapd[57877]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Apr  2 16:04:16 mflserver4 slapd[57877]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Apr  2 16:05:20 mflserver4 slapd[57877]: nss_ldap: could not search LDAP server - Server is unavailable
Apr  2 16:05:20 mflserver4 slapd[57921]: slapd starting
 
Okay, I think I will mark this question as solved. Not that everything works for me. But I can log in as a user that only exist in the LDAP directory.
I found that the very first record included
Code:
dn: dc=EXAMPLE,dc=com
dc: EXAMPLE
while, in the rest of the records, the base was
Code:
cd=example,dc=com
How this happened, I don't know. But after having changed the case, the server works again.
Thanks for the help.
 
Good to hear it's working now. Be sure to put the ACL back that prevents the passwords from being harvested.
 
Back
Top