Brian,
Have you got pam_gss working?
Josh.
On 08/11/2011 11:27, "Brian Abram" <[log in to unmask]> wrote:
>Hi
>
>I have been trying to set up ldap authentication for over a day
>and made all the usual mistakes including the current one
>which I can't find it although its likely to be connected with:
>
> nss_base_passwd
>
>---------------------------------------------------------------------
>While I am asking for help I should explain what I am trying to achieve:
>
>I would like to forward a request for authentication to say
>umbrella.psi.net if the user is in ldap but not the password.
>
>so if the [log in to unmask] exists without a password should I
>a) configure ldap to forward a request for authentication
>b) fall back into the pam stack and use another pam module to talk to
>umbrella.psi.net
>
>so that 'account required' is satisfied
>and authentication is satisfied if the forwarded authentication is
>successful?
>
>Which approach requires the least prior knowledge?
>I have more experience with RADIUS than LDAP, GSS, PAM
>
>And what is the chance of me being able to demonstrate this by Wednesday
>or Thursday?
>
>I previously had non-local users get forwarded to RADIUS using
>pam_radius, and successfully authenticated
>but the user couldn't ssh because they didn't have a local account.
>
>However, I have now set up local accounts in LDAP if only I could get it
>to work.
>
>For the purposes of demonstration I think it be easier for me
>fallback into pam_radius and get RADIUS to talk to umbrella
>
>Any advice greatly appreciated...
>
>
>---------------------------------------------------------------------
>extract from ldap.conf:
>
>nss_base_passwd ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk?one
>nss_base_shadow ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk?one
>nss_base_group ou=Group,dc=testshib1,dc=diamond,dc=ac,dc=uk?one
>
>---------------------------------------------------------------------
>
>tail of auth log:
>
>Nov 8 10:21:47 wcap93-virtual-machine slapd[7429]: DIGEST-MD5 common
>mech free
>Nov 8 10:24:56 wcap93-virtual-machine getent: nss_ldap: failed to bind
>to LDAP server ldap://127.0.0.1: Invalid DN syntax
>--------------------------------------------------------
>Is it using a totally blank DN because I don't see what it is trying to
>use as a DN in the output from getent?
>--------------------------------------------------------
>
>This works
>
>ldapsearch -x -LLL -H ldap:/// -b dc=testshib1,dc=diamond,dc=ac,dc=uk dn
>
>
>and so does this
>
>
>ldapsearch -x -LLL -H ldap:/// -b ou=Users,
>dc=testshib1,dc=diamond,dc=ac,dc=uk dn
>
>I had previously mixed up ou=People and ou=Users but I think I have
>fixed those errors now
>-----------------------------------------------------------
>so my users look like this
>
>ldapsearch -x -LLL -H ldap:/// -b dc=testshib1,dc=diamond,dc=ac,dc=uk dn
>dn: dc=testshib1,dc=diamond,dc=ac,dc=uk
>
>dn: cn=admin,dc=testshib1,dc=diamond,dc=ac,dc=uk
>
>dn: ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
>
>dn: ou=Groups,dc=testshib1,dc=diamond,dc=ac,dc=uk
>
>dn:
>[log in to unmask],ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
>
>dn:
>[log in to unmask],ou=Users,dc=testshib1,dc=diamond,dc=ac,
> dc=uk
>
>dn: uid=fredinldap,ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
>
>dn: uid=mandymd5,ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
>
>dn: uid=mandysha512,ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
>---------------------------------------------------------------
>getent :
>
>ldap_write: want=66, written=66
> 0000: 30 40 02 01 01 60 3b 02 01 03 04 2e 22 63 6e 3d
>0@...`;....."cn=
> 0010: 61 64 6d 69 6e 2c 64 63 3d 74 65 73 74 73 68 69
>admin,dc=testshi
> 0020: 62 31 2c 64 63 3d 64 69 61 6d 6f 6e 64 2c 64 63
>b1,dc=diamond,dc
> 0030: 3d 61 63 2c 64 63 3d 75 6b 22 80 06 73 65 63 72
>=ac,dc=uk"..secr
> 0040: 65 74 et
>
>ldap_result ld 0x1c5a390 msgid 1
>wait4msg ld 0x1c5a390 msgid 1 (timeout 30000000 usec)
>wait4msg continue ld 0x1c5a390 msgid 1 all 0
>** ld 0x1c5a390 Connections:
>* host: 127.0.0.1 port: 389 (default)
> refcnt: 2 status: Connected
> last used: Tue Nov 8 10:24:56 2011
>
>
>** ld 0x1c5a390 Outstanding Requests:
> * msgid 1, origid 1, status InProgress
> outstanding referrals 0, parent count 0
> ld 0x1c5a390 request count 1 (abandoned 0)
>** ld 0x1c5a390 Response Queue:
> Empty
> ld 0x1c5a390 response count 0
>ldap_chkResponseList ld 0x1c5a390 msgid 1 all 0
>ldap_chkResponseList returns ld 0x1c5a390 NULL
>ldap_int_select
>read1msg: ld 0x1c5a390 msgid 1 all 0
>ber_get_next
>ldap_read: want=8, got=8
> 0000: 30 16 02 01 01 61 11 0a 0....a..
>
>ldap_read: want=16, got=16
> 0000: 01 22 04 00 04 0a 69 6e 76 61 6c 69 64 20 44 4e
>."....invalid DN
>ber_get_next: tag 0x30 len 22 contents:
>ber_dump: buf=0x1c63ce0 ptr=0x1c63ce0 end=0x1c63cf6 len=22
> 0000: 02 01 01 61 11 0a 01 22 04 00 04 0a 69 6e 76 61
>...a..."....inva
> 0010: 6c 69 64 20 44 4e lid DN
>
>read1msg: ld 0x1c5a390 msgid 1 message type bind
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
|