- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- How to get PAM ldap to bind as user loggin in
Operating System - HP-UX
1821188
Members
3597
Online
109631
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-01-2004 02:12 AM
тАО09-01-2004 02:12 AM
How to get PAM ldap to bind as user loggin in
Here is what I am shooting for in my setup:
1) Do anonymous binds to the LDAP server for NSS (group/password) information.
2) Perform PAM authentication by binding to the LDAP server as the user logging in with the password they input via sending the passwd to the ldap server in free text.
3) Run all of this over SSL LDAPS://
I have the NSS part working fine. Everything appears to be working for the NSS data finger, pwget etc.
However when I try to test logins it looks like PAM is still trying to do anonymous binds and never tries to bind as the users DN.
Here is the basic part of my ldapuxprofile:
LDAP-UX Client Services
Global Information from the Configuration Profile
=================================================
host[:port]: xxxx.xxxx.com:636
default search base: ou=People,o=myorg
auth: tls:simple
profilecachettl: 0 = infinite
follow referrals: enabled
search time limit: 0 = no limit
bind time limit: 5 seconds
credential level: anonymous
Is there something I need to set to tell PAM ldap to bind as the user?
Is there something in this section of the ldapuxprofile that needs to be set?
Pluggable Authentication Module (PAM) service configuration
=============================================================
Attribute: is mapped to:
---------- -------------
name: uid
uid number: uidnumber
passwd: userpassword
Search Descriptor
-----------------
search[0]: ou=People,o=myorg?sub?(objectclass=posixaccount)
I am using an OpenLDAP server, and I have this working fine on other systems using the PADL software, but I want to try to get ldapux to work.
Here is some debug output from PAM on the hpux box for a single test login attempt:
Sep 1 14:09:39 skipper PAM: pam_start(login )
Sep 1 14:09:39 skipper PAM: pam_set_item(1)
Sep 1 14:09:39 skipper PAM: pam_set_item(2)
Sep 1 14:09:39 skipper PAM: pam_set_item(5)
Sep 1 14:09:39 skipper PAM: pam_set_item(3)
Sep 1 14:09:39 skipper PAM: pam_set_item(4)
Sep 1 14:09:41 skipper PAM: pam_set_item(2)
Sep 1 14:09:41 skipper PAM: pam_set_item(8)
Sep 1 14:09:41 skipper PAM: pam_set_item(2)
Sep 1 14:09:41 skipper PAM: pam_set_item(2)
Sep 1 14:09:41 skipper PAM: pam_set_item(8)
Sep 1 14:09:41 skipper PAM: pam_authenticate()
Sep 1 14:09:41 skipper PAM: load_modules: /usr/lib/security/libpam_unix.1
Sep 1 14:09:41 skipper PAM: load_function: successful load of pam_sm_authenticate
Sep 1 14:09:41 skipper PAM: load_modules: /usr/lib/security/libpam_ldap.1
Sep 1 14:09:41 skipper PAM: load_function: successful load of pam_sm_authenticate
Sep 1 14:09:41 skipper PAM: pam_get_username(ux)
Sep 1 14:09:41 skipper PAM: pam_mapping_in_use()
Sep 1 14:09:42 skipper PAM: pam_set_item(6)
Sep 1 14:09:42 skipper PAM: pam_authenticate: error Authentication failed
Sep 1 14:09:42 skipper PAM: PAM_LDAP Entering pam_sm_authenticate ...
Sep 1 14:09:42 skipper PAM: pam_get_username(ux)
Sep 1 14:09:42 skipper PAM: pam_mapping_in_use()
Sep 1 14:09:42 skipper PAM: PAM_LDAP pam_sm_authenticate(login, ldapusr1), flags = 0
Sep 1 14:09:47 skipper PAM: PAM_LDAP auth-bind failed!
Sep 1 14:09:47 skipper PAM: PAM_LDAP pam_sm_authenticate: set bind status (13)
Sep 1 14:09:47 skipper PAM: PAM_LDAP 1st auth_bind returns 13
Sep 1 14:09:47 skipper PAM: PAM_LDAP pam_sm_authenticate: returning 13
Sep 1 14:09:47 skipper PAM: pam_authenticate: error No account present for user
Sep 1 14:09:47 skipper PAM: pam_set_item(6)
Sep 1 14:09:47 skipper PAM: pam_authenticate error
Sep 1 14:09:47 skipper PAM: pam_acct_mgmt()
Sep 1 14:09:47 skipper PAM: load_modules: /usr/lib/security/libpam_unix.1
Sep 1 14:09:47 skipper PAM: load_function: successful load of pam_sm_acct_mgmt
Sep 1 14:09:47 skipper PAM: load_modules: /usr/lib/security/libpam_ldap.1
Sep 1 14:09:47 skipper PAM: load_function: successful load of pam_sm_acct_mgmt
Sep 1 14:09:47 skipper PAM: pam_get_username(ux)
Sep 1 14:09:47 skipper PAM: pam_mapping_in_use()
Sep 1 14:09:47 skipper PAM: pam_acct_mgmt: error User account has expired
Sep 1 14:09:47 skipper PAM: PAM_LDAP Entering pam_sm_acct_mgmt... flags (4)
Sep 1 14:09:47 skipper PAM: PAM_LDAP Entering old logic
And here is the debug output from the OpenLDAP Server for the same login attempt:
Sep 1 10:03:57 machine1 slapd[15684]: daemon: conn=75 fd=19 connection from IP=10.10.10.145:55328 (IP=0.0.0.0:636) accepted.
Sep 1 10:04:02 machine1 slapd[15684]: deferring operation
Sep 1 10:04:02 machine1 slapd[15684]: conn=75 op=0 BIND dn="" method=128
Sep 1 10:04:02 machine1 slapd[15684]: conn=75 op=0 RESULT tag=97 err=0 text=
Sep 1 10:04:02 machine1 slapd[15684]: conn=75 op=1 UNBIND
Sep 1 10:04:02 machine1 slapd[15684]: conn=-1 fd=19 closed
I see 2 things that stick out to me:
1) The bind has a DN="" in the slapd logs.. I think that is wrong it should show a bind of DN="username..." At least it does when I watch the other clients attempts that work.
2) HPUX PAM is outputing a) Bind failed, b) account does not exsist, c) user account expired, d) can not retrieve user credentials
Any ideas on what is going on?
1) Do anonymous binds to the LDAP server for NSS (group/password) information.
2) Perform PAM authentication by binding to the LDAP server as the user logging in with the password they input via sending the passwd to the ldap server in free text.
3) Run all of this over SSL LDAPS://
I have the NSS part working fine. Everything appears to be working for the NSS data finger, pwget etc.
However when I try to test logins it looks like PAM is still trying to do anonymous binds and never tries to bind as the users DN.
Here is the basic part of my ldapuxprofile:
LDAP-UX Client Services
Global Information from the Configuration Profile
=================================================
host[:port]: xxxx.xxxx.com:636
default search base: ou=People,o=myorg
auth: tls:simple
profilecachettl: 0 = infinite
follow referrals: enabled
search time limit: 0 = no limit
bind time limit: 5 seconds
credential level: anonymous
Is there something I need to set to tell PAM ldap to bind as the user?
Is there something in this section of the ldapuxprofile that needs to be set?
Pluggable Authentication Module (PAM) service configuration
=============================================================
Attribute: is mapped to:
---------- -------------
name: uid
uid number: uidnumber
passwd: userpassword
Search Descriptor
-----------------
search[0]: ou=People,o=myorg?sub?(objectclass=posixaccount)
I am using an OpenLDAP server, and I have this working fine on other systems using the PADL software, but I want to try to get ldapux to work.
Here is some debug output from PAM on the hpux box for a single test login attempt:
Sep 1 14:09:39 skipper PAM: pam_start(login )
Sep 1 14:09:39 skipper PAM: pam_set_item(1)
Sep 1 14:09:39 skipper PAM: pam_set_item(2)
Sep 1 14:09:39 skipper PAM: pam_set_item(5)
Sep 1 14:09:39 skipper PAM: pam_set_item(3)
Sep 1 14:09:39 skipper PAM: pam_set_item(4)
Sep 1 14:09:41 skipper PAM: pam_set_item(2)
Sep 1 14:09:41 skipper PAM: pam_set_item(8)
Sep 1 14:09:41 skipper PAM: pam_set_item(2)
Sep 1 14:09:41 skipper PAM: pam_set_item(2)
Sep 1 14:09:41 skipper PAM: pam_set_item(8)
Sep 1 14:09:41 skipper PAM: pam_authenticate()
Sep 1 14:09:41 skipper PAM: load_modules: /usr/lib/security/libpam_unix.1
Sep 1 14:09:41 skipper PAM: load_function: successful load of pam_sm_authenticate
Sep 1 14:09:41 skipper PAM: load_modules: /usr/lib/security/libpam_ldap.1
Sep 1 14:09:41 skipper PAM: load_function: successful load of pam_sm_authenticate
Sep 1 14:09:41 skipper PAM: pam_get_username(ux)
Sep 1 14:09:41 skipper PAM: pam_mapping_in_use()
Sep 1 14:09:42 skipper PAM: pam_set_item(6)
Sep 1 14:09:42 skipper PAM: pam_authenticate: error Authentication failed
Sep 1 14:09:42 skipper PAM: PAM_LDAP Entering pam_sm_authenticate ...
Sep 1 14:09:42 skipper PAM: pam_get_username(ux)
Sep 1 14:09:42 skipper PAM: pam_mapping_in_use()
Sep 1 14:09:42 skipper PAM: PAM_LDAP pam_sm_authenticate(login, ldapusr1), flags = 0
Sep 1 14:09:47 skipper PAM: PAM_LDAP auth-bind failed!
Sep 1 14:09:47 skipper PAM: PAM_LDAP pam_sm_authenticate: set bind status (13)
Sep 1 14:09:47 skipper PAM: PAM_LDAP 1st auth_bind returns 13
Sep 1 14:09:47 skipper PAM: PAM_LDAP pam_sm_authenticate: returning 13
Sep 1 14:09:47 skipper PAM: pam_authenticate: error No account present for user
Sep 1 14:09:47 skipper PAM: pam_set_item(6)
Sep 1 14:09:47 skipper PAM: pam_authenticate error
Sep 1 14:09:47 skipper PAM: pam_acct_mgmt()
Sep 1 14:09:47 skipper PAM: load_modules: /usr/lib/security/libpam_unix.1
Sep 1 14:09:47 skipper PAM: load_function: successful load of pam_sm_acct_mgmt
Sep 1 14:09:47 skipper PAM: load_modules: /usr/lib/security/libpam_ldap.1
Sep 1 14:09:47 skipper PAM: load_function: successful load of pam_sm_acct_mgmt
Sep 1 14:09:47 skipper PAM: pam_get_username(ux)
Sep 1 14:09:47 skipper PAM: pam_mapping_in_use()
Sep 1 14:09:47 skipper PAM: pam_acct_mgmt: error User account has expired
Sep 1 14:09:47 skipper PAM: PAM_LDAP Entering pam_sm_acct_mgmt... flags (4)
Sep 1 14:09:47 skipper PAM: PAM_LDAP Entering old logic
And here is the debug output from the OpenLDAP Server for the same login attempt:
Sep 1 10:03:57 machine1 slapd[15684]: daemon: conn=75 fd=19 connection from IP=10.10.10.145:55328 (IP=0.0.0.0:636) accepted.
Sep 1 10:04:02 machine1 slapd[15684]: deferring operation
Sep 1 10:04:02 machine1 slapd[15684]: conn=75 op=0 BIND dn="" method=128
Sep 1 10:04:02 machine1 slapd[15684]: conn=75 op=0 RESULT tag=97 err=0 text=
Sep 1 10:04:02 machine1 slapd[15684]: conn=75 op=1 UNBIND
Sep 1 10:04:02 machine1 slapd[15684]: conn=-1 fd=19 closed
I see 2 things that stick out to me:
1) The bind has a DN="" in the slapd logs.. I think that is wrong it should show a bind of DN="username..." At least it does when I watch the other clients attempts that work.
2) HPUX PAM is outputing a) Bind failed, b) account does not exsist, c) user account expired, d) can not retrieve user credentials
Any ideas on what is going on?
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-01-2004 02:41 AM
тАО09-01-2004 02:41 AM
Re: How to get PAM ldap to bind as user loggin in
I forgot to include the debug output from ldapclientd:
Sep 1 14:26:23 skipper syslog: pid:2283 - ldap_common.c:1391:_hp_ldap_simple_bind(): bind request timed out
Sep 1 14:26:23 skipper syslog: pid:2283 - ldap_common.c:2121:_hp_ldap_bind_by_my_uid(): _hp_ldap_simple_bind(anonymous):Failure
Sep 1 14:26:23 skipper syslog: pid:2283 - ldap_common.c:1574:_hp_ldap_build_cred(): _hp_ldap_bind_by_my_uid() returned:-1.
Sep 1 14:26:23 skipper syslog: pid:2283.10 - pam_request.c:143:process_pam_ldap_request(): _hp_ldap_bind_ux() failed, err=-1
Sep 1 14:26:23 skipper syslog: pid:2283 - ldap_common.c:1391:_hp_ldap_simple_bind(): bind request timed out
Sep 1 14:26:23 skipper syslog: pid:2283 - ldap_common.c:2121:_hp_ldap_bind_by_my_uid(): _hp_ldap_simple_bind(anonymous):Failure
Sep 1 14:26:23 skipper syslog: pid:2283 - ldap_common.c:1574:_hp_ldap_build_cred(): _hp_ldap_bind_by_my_uid() returned:-1.
Sep 1 14:26:23 skipper syslog: pid:2283.10 - pam_request.c:143:process_pam_ldap_request(): _hp_ldap_bind_ux() failed, err=-1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-01-2004 07:17 AM
тАО09-01-2004 07:17 AM
Re: How to get PAM ldap to bind as user loggin in
Mike,
You can not configure different binding methods for NSS and PAM LDAP, they both go through the ldapclientd. You currently have configured anoymous credentials:
...
bind time limit: 5 seconds
credential level: anonymous
^^^^^^^^^
PAM_LDAP will go through the ldapclientd to get the users DN to bind to the directory with, so you should see 2 binds one as either anoymous or the Proxy user, then one as the user attempting to authenticate:
1) Proxy User looking for the users DN:
[01/Sep/2004:12:07:09 -0700] conn=256 op=0 BIND dn="uid=lproxy,ou=people,ou=test,dc=hp,dc=com" method=128 version=3
[01/Sep/2004:12:07:09 -0700] conn=256 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=lproxy,ou=people,ou=test,dc=hp,dc=com"
[01/Sep/2004:12:07:09 -0700] conn=256 op=1 SRCH base="ou=test,dc=hp,dc=com" scope=2 filter="(&(uid=luser1)(objectClass=posixaccount))" attrs=ALL
[01/Sep/2004:12:07:09 -0700] conn=256 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[01/Sep/2004:12:07:09 -0700] conn=257 fd=46 slot=46 connection from 15.43.212.197 to 15.43.212.197
[01/Sep/2004:12:07:09 -0700] conn=256 op=2 UNBIND
[01/Sep/2004:12:07:09 -0700] conn=256 op=2 fd=45 closed - U1
2) Now bind as the user:
[01/Sep/2004:12:07:09 -0700] conn=257 op=0 BIND dn="uid=luser1,ou=people,ou=test,dc=hp,dc=com" method=128 version=3
[01/Sep/2004:12:07:09 -0700] conn=257 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=luser1,ou=people,ou=test,dc=hp,dc=com"
[01/Sep/2004:12:07:09 -0700] conn=257 op=1 UNBIND
[01/Sep/2004:12:07:09 -0700] conn=257 op=1 fd=46 closed - U1
So, you need to change your ldap-ux configuration profile to:
credentiallevel: proxy
AND configure a Proxy User on the ldap-ux client:
# ldap_proxy_config -i
Cheers,
Doug
You can not configure different binding methods for NSS and PAM LDAP, they both go through the ldapclientd. You currently have configured anoymous credentials:
...
bind time limit: 5 seconds
credential level: anonymous
^^^^^^^^^
PAM_LDAP will go through the ldapclientd to get the users DN to bind to the directory with, so you should see 2 binds one as either anoymous or the Proxy user, then one as the user attempting to authenticate:
1) Proxy User looking for the users DN:
[01/Sep/2004:12:07:09 -0700] conn=256 op=0 BIND dn="uid=lproxy,ou=people,ou=test,dc=hp,dc=com" method=128 version=3
[01/Sep/2004:12:07:09 -0700] conn=256 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=lproxy,ou=people,ou=test,dc=hp,dc=com"
[01/Sep/2004:12:07:09 -0700] conn=256 op=1 SRCH base="ou=test,dc=hp,dc=com" scope=2 filter="(&(uid=luser1)(objectClass=posixaccount))" attrs=ALL
[01/Sep/2004:12:07:09 -0700] conn=256 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[01/Sep/2004:12:07:09 -0700] conn=257 fd=46 slot=46 connection from 15.43.212.197 to 15.43.212.197
[01/Sep/2004:12:07:09 -0700] conn=256 op=2 UNBIND
[01/Sep/2004:12:07:09 -0700] conn=256 op=2 fd=45 closed - U1
2) Now bind as the user:
[01/Sep/2004:12:07:09 -0700] conn=257 op=0 BIND dn="uid=luser1,ou=people,ou=test,dc=hp,dc=com" method=128 version=3
[01/Sep/2004:12:07:09 -0700] conn=257 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=luser1,ou=people,ou=test,dc=hp,dc=com"
[01/Sep/2004:12:07:09 -0700] conn=257 op=1 UNBIND
[01/Sep/2004:12:07:09 -0700] conn=257 op=1 fd=46 closed - U1
So, you need to change your ldap-ux configuration profile to:
credentiallevel: proxy
AND configure a Proxy User on the ldap-ux client:
# ldap_proxy_config -i
Cheers,
Doug
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2004 07:26 PM
тАО09-02-2004 07:26 PM
Re: How to get PAM ldap to bind as user loggin in
The initial bind can work ok anonymous (our setup).
The issue may come from time out on bind due to SSL.
I would change :
bind time limit: 5 seconds to 10 or 20 sec.
Your initial connection time shows 10:03:57
Then connection is closed at 10:04:02, which is 5 sec later.
The issue may come from time out on bind due to SSL.
I would change :
bind time limit: 5 seconds to 10 or 20 sec.
Your initial connection time shows 10:03:57
Then connection is closed at 10:04:02, which is 5 sec later.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP