topic Re: Problem setting ldap-ux client in Operating System - HP-UX

Problem setting ldap-ux client

Diego González — Tue, 17 Nov 2009 16:27:32 GMT

Hello Everybody:

I'm setting up ldap-ux client under hpux 11.31, but I getting a error authenticating with ssh. Connecting to ssh ask me 2 times for the password (The password is correct).
Example using putty to the ux box:
login as: user
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
LDAP Password:

And never get logged to the system.

I'm using Fedora Directory Server 1.0 as Ldap server.

However I can do "su" with the same ldap user without problems. I got the complete listing of users from the directory with pwget.

pam_ldap is configured in /etc/pam.conf and nsswitch for use ldap.

I turned on debugging for ldapclientd and got this messages:

Nov 17 12:51:23 rx2ka sshd[12653]: pid:12653 - ldapd_client.c:195:_hp_ldap_client_cache_daemon_is_up():
Nov 17 12:51:23 rx2ka syslog: pid:27197 - ldap_common.c:2104:_hp_ldap_bind_ux(): _hp_ldap_build_cred() returned:-2.
Nov 17 12:51:23 rx2ka syslog: pid:27197.13 - pam_request.c:152:process_pam_ldap_request(): _hp_ldap_bind_ux() failed, err=-2
Nov 17 12:51:23 rx2ka syslog: pid:27197 - ldap_common.c:2650:_hp_ldap_endent():
Nov 17 12:51:23 rx2ka syslog: pid:27197 - ldap_common.c:3230:_hp_ldap_unbind(): disposition:FREE HANDLE.
Nov 17 12:51:23 rx2ka syslog: pid:27197 - ldap_common.c:2688:_hp_ldap_free_cur_msg():
Nov 17 12:51:24 rx2ka above message repeats 4 times
Nov 17 12:51:24 rx2ka syslog: pid:27197 - ldap_common.c:2650:_hp_ldap_endent():
Nov 17 12:51:24 rx2ka syslog: pid:27197 - ldap_common.c:2688:_hp_ldap_free_cur_msg():
Nov 17 12:51:24 rx2ka sshd[12653]: PAM_LDAP auth-bind got HP_LDAP_NOTFOUND

I'm using:
LdapUxClient B.04.20 LDAP-UX Client Services

Somebody has a similar problem? Any help will be apreciated.

Best regards.

Diego.

Re: Problem setting ldap-ux client

Steven E. Protter — Tue, 17 Nov 2009 17:04:05 GMT

Shalom,

Secure Shell, openssh does not integrate easily with LDAP. The standard version will require login, but then respect the LDAP server on permissions and such.

You will probably have to recompile openssh from source to integrate it with LDAP and make it stop demanding passwords.

SEP

Re: Problem setting ldap-ux client

Diego González — Tue, 17 Nov 2009 17:31:52 GMT

I tried the same test with the telnet protocol and login and I got the same results. I think that maybe is a pam problem, I don't know what exactly is the problem yet.

Re: Problem setting ldap-ux client

Bob Neal-Joslin — Wed, 18 Nov 2009 17:27:04 GMT

Hi Diego,

The -2 indicates the specified user name was not found in LDAP. So that likely means a configuration problem.

LDAP-UX can do some basic configuraiton assesment. Run the command /opt/ldapux/bin/ldapcfinfo.

/opt/ldapux/bin/ldapcfinfo -t passwd
/opt/ldapux/bin/ldapcfinfo -t pam

Then, assuming success above try

pwget -n

If that doesn't help, review the output of /opt/ldapux/config/display_profile_cache. That tells you how LDAP-UX performs search operations. See if you can replicate a search operation using ldapsearch.

/opt/ldapux/bin/ldapsearch -h -b "(&(objectclass=posixaccount)(uid=))"

Good luck.

Re: Problem setting ldap-ux client

Bob Neal-Joslin — Wed, 18 Nov 2009 17:29:47 GMT

BTW, I noticed you said you're using Fedora DS 1.0? Is there any reason why your not using HP-UX Directory Server 8.1? It's a supported version of 389/Fedora DS, based on a more recent version (1.2).

Re: Problem setting ldap-ux client

Diego González — Wed, 18 Nov 2009 17:50:03 GMT

Thanks to all for the reply. Finally I found a wrong base dn configured in the Fedora Ds. I fixed that and now the auth is working!

Best regards.

Diego.

Re: Problem setting ldap-ux client

Diego González — Wed, 18 Nov 2009 17:51:43 GMT

Wrong setup in fedora ds