Hi Brian

I am guessing that umbrella.psi.net
in your scenario is running radius.
To forward authentication  to umbrella.psi.net
would require some sort of LDAP mechanism
like a superior knowledge directory on umbrella
which is a parent of your local ldap tree.

Can I ask you which mechanism you are using for passwords
a) is it a simple bind over tls, gsapi and krb5 , Syrus sasl unencrypted flat 
file storage using syrus db  
land etc ....

b) I'd never used uid which are similar to user@domain format

when you run : id username

What do you get ?



Wouldn't it be easier to setup the other way around ??
I have very little experience with RADIUS but I remember from experiment
I run 5 years ago that RADIUS could be configured to authenticate to multiple 
sources. (backends)

Can anyone with more radius  experience confirm / or deny this ?

For radius to talk to open ldap securely you can use TTLS

In that case in your LDAP tree you can have a simple security object


like 

    
dn:  cn=admin,dc=testshib1,dc=diamond,dc=ac,dc=uk
userPassword:: {SMD5}samehash48798&^6wq3jh         
description: LDAP administrator   
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin


hash scheme could be any cipher that radius and ldap both support




What linux flavour you are using, by the way. 
On RH clones pam and nss .conf are combined
and authconfig is usually the preffered mechamism to manage ldap client 
connectivity. And very last question: are you testing ldap connectivity on the 
same host ?
 
 can you start slapd in debug mode for example using 2 ldap urls
one external and one internal

like:
 slapd -f /etc/slapd.conf -d 512  -h "ldap:///localhost:389 
ldap:///fullyqualifiedname:389 ldapi:/// "     

Sorry, I'd be glad to help but would need more info


A


On Tuesday 08 November 2011 11:27:28 you wrote:
> Hi
> 
> I have been trying to set up ldap authentication for over a day
> and made all the usual mistakes including the current one
> which I can't find it although its likely to be connected with:
> 
>   nss_base_passwd
> 
> ---------------------------------------------------------------------
> While I am asking for help I should explain what I am trying to achieve:
> 
> I would like to forward a request for authentication to say
> umbrella.psi.net if the user is in ldap but not the password.
> 
> so if the [log in to unmask] exists without a password should I
> a) configure ldap to forward a request for authentication
> b) fall back into the pam stack and use another pam module to talk to
> umbrella.psi.net
> 
> so that 'account required' is satisfied
> and authentication is satisfied if the forwarded authentication is
> successful?
> 
> Which approach requires the least prior knowledge?
> I have more experience with RADIUS than LDAP, GSS, PAM
> 
> And what is the chance of me being able to demonstrate this by Wednesday
> or Thursday?
> 
> I previously had non-local users get forwarded to RADIUS using
> pam_radius, and successfully authenticated
> but the user couldn't ssh because they didn't have a local account.
> 
> However, I have now set up local accounts in LDAP if only I could get it
> to work.
> 
> For the purposes of demonstration I think it be easier for me
> fallback into pam_radius and get RADIUS to talk to umbrella
> 
> Any advice greatly appreciated...
> 
> 
> ---------------------------------------------------------------------
> extract from ldap.conf:
> 
> nss_base_passwd		ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk?one
> nss_base_shadow		ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk?one
> nss_base_group		ou=Group,dc=testshib1,dc=diamond,dc=ac,dc=uk?one
> 
> ---------------------------------------------------------------------
> 
> tail of auth log:
> 
> Nov  8 10:21:47 wcap93-virtual-machine slapd[7429]: DIGEST-MD5 common
> mech free
> Nov  8 10:24:56 wcap93-virtual-machine getent: nss_ldap: failed to bind
> to LDAP server ldap://127.0.0.1: Invalid DN syntax
> --------------------------------------------------------
> Is it using a totally blank DN because I don't see what it is trying to
> use as a DN in the output from getent?
> --------------------------------------------------------
> 
> This works
> 
> ldapsearch -x -LLL -H ldap:/// -b dc=testshib1,dc=diamond,dc=ac,dc=uk dn
> 
> 
> and so does this
> 
> 
> ldapsearch -x -LLL -H ldap:/// -b ou=Users,
> dc=testshib1,dc=diamond,dc=ac,dc=uk dn
> 
> I had previously mixed up ou=People and ou=Users but I think I have
> fixed those errors now
> -----------------------------------------------------------
> so my users look like this
> 
> ldapsearch -x -LLL -H ldap:/// -b dc=testshib1,dc=diamond,dc=ac,dc=uk dn
> dn: dc=testshib1,dc=diamond,dc=ac,dc=uk
> 
> dn: cn=admin,dc=testshib1,dc=diamond,dc=ac,dc=uk
> 
> dn: ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
> 
> dn: ou=Groups,dc=testshib1,dc=diamond,dc=ac,dc=uk
> 
> dn:
> [log in to unmask],ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
> 
> dn:
> [log in to unmask],ou=Users,dc=testshib1,dc=diamond,dc=ac,
>   dc=uk
> 
> dn: uid=fredinldap,ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
> 
> dn: uid=mandymd5,ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
> 
> dn: uid=mandysha512,ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
> ---------------------------------------------------------------
> getent :
> 
> ldap_write: want=66, written=66
>    0000:  30 40 02 01 01 60 3b 02  01 03 04 2e 22 63 6e 3d
> 0@...`;....."cn=
>    0010:  61 64 6d 69 6e 2c 64 63  3d 74 65 73 74 73 68 69
> admin,dc=testshi
>    0020:  62 31 2c 64 63 3d 64 69  61 6d 6f 6e 64 2c 64 63
> b1,dc=diamond,dc
>    0030:  3d 61 63 2c 64 63 3d 75  6b 22 80 06 73 65 63 72
> =ac,dc=uk"..secr
>    0040:  65 74                                              et
> 
> ldap_result ld 0x1c5a390 msgid 1
> wait4msg ld 0x1c5a390 msgid 1 (timeout 30000000 usec)
> wait4msg continue ld 0x1c5a390 msgid 1 all 0
> ** ld 0x1c5a390 Connections:
> * host: 127.0.0.1  port: 389  (default)
>    refcnt: 2  status: Connected
>    last used: Tue Nov  8 10:24:56 2011
> 
> 
> ** ld 0x1c5a390 Outstanding Requests:
>   * msgid 1,  origid 1, status InProgress
>     outstanding referrals 0, parent count 0
>    ld 0x1c5a390 request count 1 (abandoned 0)
> ** ld 0x1c5a390 Response Queue:
>     Empty
>    ld 0x1c5a390 response count 0
> ldap_chkResponseList ld 0x1c5a390 msgid 1 all 0
> ldap_chkResponseList returns ld 0x1c5a390 NULL
> ldap_int_select
> read1msg: ld 0x1c5a390 msgid 1 all 0
> ber_get_next
> ldap_read: want=8, got=8
>    0000:  30 16 02 01 01 61 11 0a                            0....a..
> 
> ldap_read: want=16, got=16
>    0000:  01 22 04 00 04 0a 69 6e  76 61 6c 69 64 20 44 4e
> ."....invalid DN
> ber_get_next: tag 0x30 len 22 contents:
> ber_dump: buf=0x1c63ce0 ptr=0x1c63ce0 end=0x1c63cf6 len=22
>    0000:  02 01 01 61 11 0a 01 22  04 00 04 0a 69 6e 76 61
> ...a..."....inva
>    0010:  6c 69 64 20 44 4e                                  lid DN
> 
> read1msg: ld 0x1c5a390 msgid 1 message type bind

-- 
=======================================
Alex Brulo
Senior Server Engineer (HPC)
Information Systems Aston (ISA)
Aston University, Aston Triangle,
Birmingham, B4 7ET 
Tel: 0121 204 3673
ISA "Aiming for Excellence in ICT Services" 
=======================================
Please consider the environment before printing this e-mail
=======================================