0) Make sure every time you restart /etc/init.d/ldap.client (ldap_cachemgr), restart also the /etc/init.d/nscd (name service cache daemon).
1) Make sure you define "CRYPT" as the default passwordStorageScheme in LDAP DIT (right click cn=config and edit its properties).
2) Make sure you have these three lines in /var/ldap/ldap_client_file and also in "default" profile in LDAP DIT?
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=foo,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=foo,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=foo,dc=com?one
And there is a "shadow: files ldap" line in /etc/nsswitch.conf.
3) Make sure you restart SSH Server whenever there is a change in /etc/ssh/sshd_config.
=== Aug 30 16:17:38 unknown sshd[1354]: [ID 800047 auth.error] error: PAM: Authentication failed for testdba from cnyitsun01.composers.foo.com Aug 30 16:17:39 unknown sshd[1354]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured === ===
4) Did you install a binary version of OpenSSH Server with PAM support or compile from source with an "./configure --with-pam" option?
To check if sshd is built with PAM support, run:
# ldd /usr/local/sbin/sshd
It should have something like "libpam.so,1" in it: libpam.so.1 => /usr/lib/libpam.so.1 libdl.so.1 => /usr/lib/libdl.so.1 libresolv.so.2 => /usr/lib/libresolv.so.2 libcrypto.so.0.9.7 => /usr/local/ssl/lib/libcrypto.so.0.9.7 librt.so.1 => /usr/lib/librt.so.1 libz.so => /usr/lib/libz.so libsocket.so.1 => /usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libc.so.1 => /usr/lib/libc.so.1 libcmd.so.1 => /usr/lib/libcmd.so.1 libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1 libaio.so.1 => /usr/lib/libaio.so.1 libmp.so.2 => /usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
5) The output of your "sshd -d" looks perfectly fine and it isn't what you said "totally silent", the SSH Server is listening, as and when you perform ssh connection from any host to the ssh server, you would see more "debugging" messages appearing in this "interactive" mode, to exit, press Ctrl-C to kill the debugging mode, note that after this sshd is no more running.
6) For ssh client connection, do this way to see more:
$ ssh -v testdba@192.85.86.87
Gary
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor Sent: Wednesday, August 31, 2005 4:26 AM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Problem with solaris & FDS authentication
Gary, here's the output from /var/adm/messages:
Aug 30 16:17:38 unknown last message repeated 1 time Aug 30 16:17:38 unknown sshd[1354]: [ID 800047 auth.error] error: PAM: Authentication failed for testdba from cnyitsun01.composers.foo.com Aug 30 16:17:39 unknown sshd[1354]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
What does that mean? I took the pam.conf from the website you gave me and commented out the lines, like you said:
login auth requisite pam_authtok_get.so.1 debug login auth required pam_dhkeys.so.1 debug #login auth required pam_unix_cred.so.1 debug login auth required pam_dial_auth.so.1 debug login auth binding pam_unix_auth.so.1 server_policy debug login auth required pam_ldap.so.1 debug
Also:
bash-2.03# getent passwd testdba testdba::10001:7000::/home/testdba:/bin/bash
sshd -d is totally silent. No output after startup:
bash-2.03# /usr/local/sbin/sshd -d debug1: sshd version OpenSSH_3.9p1 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA Disabling protocol version 1. Could not load host key debug1: rexec_argv[0]='/usr/local/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22.
debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 10
--- "Tay, Gary" Gary_Tay@platts.com wrote:
What is the output of "id testdba" and "getent passwd testdba"?
To use ldap auth for SSH Server, you must set these lines in /etc/ssh/sshd_config:
PasswordAuthentication yes ChallengeResponseAuthentication yes UsePAM yes
Yep, changed that!
Still (from the remote machine):
cnyitsun01/ > ssh testdba@192.85.86.87 Password: LDAP Password: Password: LDAP Password:
And it never lets me in.
____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
--- "Tay, Gary" Gary_Tay@platts.com wrote:
- Make sure every time you restart /etc/init.d/ldap.client
(ldap_cachemgr), restart also the /etc/init.d/nscd (name service cache daemon).
well, I decided to turn off the nscd completely, while I'm testing.
- Make sure you define "CRYPT" as the default passwordStorageScheme in
LDAP DIT (right click cn=config and edit its properties).
yes.
- Make sure you have these three lines in /var/ldap/ldap_client_file
and also in "default" profile in LDAP DIT?
I have them in the ldap.client.file but the default profile looks like this:
# default, profile, composers.foo.com dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com defaultSearchBase: dc=composers,dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: 149.85.70.17 credentialLevel: proxy cn: default defaultSearchScope: one
Am I missing anything? I don't have serviceSearchDescriptor but I think it should chain ou=People+defaultSearchBase, right?
And there is a "shadow: files ldap" line in /etc/nsswitch.conf.
yes.
- Did you install a binary version of OpenSSH Server with PAM support
or compile from source with an "./configure --with-pam" option?
it was a pkg:
bash-2.03# ldd /usr/local/sbin/sshd libpam.so.1 => /usr/lib/libpam.so.1
- For ssh client connection, do this way to see more:
$ ssh -v testdba@192.85.86.87
OK. This is me trying to a linux box under the FDS control:
cnyitsun01/ > ssh testdba@cnyitlin01 testdba@cnyitlin01's password: Last login: Fri Aug 26 11:02:06 2005 from cnyitlin02.composers.foo.com [testdba@cnyitlin01 ~]$
Works fine. Now, to the test sun box:
debug1: Next authentication method: publickey debug1: Trying private key: /.ssh/identity debug1: Trying private key: /.ssh/id_rsa debug1: Trying private key: /.ssh/id_dsa debug1: Next authentication method: keyboard-interactive Password: LDAP Password: debug1: Authentications that can continue: publickey,password,keyboard-interactive Password:
And notice it's asking me for a separate ldap password. What's up with that?
Also, I ran this:
bash-2.03# ldapsearch -D "uid=proxyagent,ou=profile,dc=composers,dc=foo,dc=com" -w password -h cnyitlin02 -s base -b "" "objectclass=*"
objectClass=top namingContexts=dc=composers,dc=foo,dc=com namingContexts=dc=example, dc=com namingContexts=o=NetscapeRoot supportedExtension=2.16.840.1.113730.3.5.7 supportedExtension=2.16.840.1.113730.3.5.8 [more crap...]
So, looks like the proxy id/password is correct....
I hate Solaris. It took me ONE MINUTE to get a linux client working. One command - authconfig. This is just retarded.
__________________________________ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html
389-users@lists.fedoraproject.org