You are not logged in.
Hi. I am currently trying to get this thing working, all day and only errors. I will post some logs and files later, but I just wanted to ask now - have anyone got arch working with ldap_pam module? The ldap side is working, the system seems to understand when the username and password was correct, but wouldn't let me into system. After login, there is some traffic to the ldap server, but nothing, it still fails. I'm trying to use this package https://www.archlinux.org/packages/comm … pam-ldapd/ and messing around with settings under /etc/pam.d currently.
Ubuntu works fine, just tested Lubuntu and Mint clients and they login via ldap just without any problems. Ubuntu based clients can be configured by this guide easily http://askubuntu.com/questions/127389/h … dap-client . But the structure under /etc/pam.d is slightly different between arch and ubuntu. The wiki article seems to be greatly out of date too...
The server is running OpenLDAP (linux) and ubuntu/windows clients work, just haven't figured out where is the problem with arch.
Last edited by kellerman (2013-04-09 21:59:18)
Offline
Okay, I've gotten so far (let's say that base is 'dc=server,dc=mydomain' and server is 'server'):
-installing http://arthurdejong.org/nss-pam-ldapd/setup (nss-pam-ldapd package from core repo) and configuring it by the documentation
cat nslcd.conf
uri ldap://server
base dc=server,dc=mydomain
uid nslcd
gid nslcd
cat /etc/nsswitch.conf
# Begin /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
publickey: files
hosts: files dns myhostname
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: files
# End /etc/nsswitch.conf
And then started and enabled nslcd via systemd. After reboot
getent passwd
and
sudo getent shadow
returns now also entries from the LDAP directory. One line looks approximately like this:
pdcadmin:*:2001:1902:PDC administrator user:/home/pdcadmin:/usr/sbin/nologin
There is no shell for LDAP users, but Ubuntu-like clients still work, only terminal sessions cannot be started.
So I figured, that I can connect to LDAP and after boot doing
sudo journalctl -b
I can see that nslcd connected to LDAP successfully. The magic starts with pam. The package above seems to have the pam_ldap module included and this is my modified /etc/pam.d/system-auth :
auth required pam_env.so
auth sufficient pam_unix.so nullok
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
auth optional pam_permit.so
account required pam_unix.so
account sufficient pam_ldap.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so nullok sha512 shadow
password sufficient pam_ldap.so try_first_pass
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_permit.so
I tried multiple variants of this and still can't login via LDAP, only locally. This must be a problem in pam configuration and the problem must not be big, probably a simple change somewhere in /etc/pam.d/* .
This is the journal of trying 2 correct login attempts as 'pdcadmin' and 2 incorrect login attempts as pdcadmin, then atfer that failed, logged in as local user 'user'.
This is the log for that situation, starting with dhcpcd getting network parameters http://pastebin.com/KnyUG8CN .
I also tried using lightdm over slim and nothing changed. For testing use clean arch install with LXDE if that matters.
Last edited by kellerman (2013-04-13 22:25:35)
Offline
I dont believe that there are no people that install arch at their office or work...
Well this isn't THAT important, currently I install Lubuntu on some older workstations, but Arch with LXDE runs best. And if I can't manage LDAP auth, then it's a no to Arch.
Offline
Hi kellerman,
Please be patient. May be there is not *so many* people using Arch for LDAP authentication.
There is no shell for LDAP users, but Ubuntu-like clients still work, only terminal sessions cannot be started
....
I also tried using lightdm over slim and nothing changed. For testing use clean arch install with LXDE if that matters.
I guess that the Ubuntu-like clients are working with LightDM (default of Ubuntu since some releases ago). Try to copy/paste the relevant default config files from a Ubuntu install; if it does not work, it could be a problem with a package (e.g. the pam module), and then I suggest to test the latest development snapshots (you can have a different installation for test purposes for example). Another possibility is that a package was compiled without the appropriate LDAP support, but I don't know exactly which packages are involved there.
You can also surf through the man pages, since they are the info that the original devs wanted you to know. As I said, be patient and try to get it running.
The wiki article seems to be greatly out of date too...
If you succeed, update the wiki so that other people can benefit from your experience. For me, that is the best way to collaborate with the Arch (and Linux) community. But it is only my opinion.
Offline
Thanks for reply. I'm patient, no problems with that! Just wondering if I'm not going the wrong way, so I can try some further experiments. And maybe there are better ways of debugging than just looking at the system journal.
Well the I tried both slim and lightdm, but it should login also by using at tty or terminal (it says: This account is currently not available for Ubuntu clients, which is correct).
I tried merging the configuration files at /etc/pam.d but I'm not sure if I have to modify only /etc/pam.d/system-auth or other files too at /etc/pam.d
If you succeed, update the wiki so that other people can benefit from your experience.
Sure, if I'll get it to work!
Also there are 2 variants of packages to install (I don't have any other packages installed for this purpose):
community/nss-pam-ldapd
or
extra/pam_ldap
extra/nss_ldap
Currently the most success I get with the first one.
Last edited by kellerman (2013-04-14 10:52:43)
Offline
Hi kellerman,
I was wondering if you had any success with LDAP authentication? I cannot appear to even get nlscd contacting my ldap server. Perhaps if I can get that part up and running, I can sort out the rest.
Walter
Offline
Yo, Mister White!
Sorry, but I didn't have any success with LDAP authentication and Arch, currently I'm using Zentyal 3.0 on my server and it handles Windows domain controller role very well, so I can simply use Likewise Open to join a domain. I join Ubuntu/Mint workstations so I decided not to mess with Arch LDAP authentication.
I won't remember well, but I messed a lot around pam-ldap settings. Maybe the problem was in LDAP server config or most probably client config, but it didn't work at all. I then just found out that debugging for this thing is incredibly hard.
Offline
kellerman, did you ever get this solved.
LDAP is a must for any linux distro for me.
The wiki is so outdated and not complete, i am disappointed in arch for that
I too use ubuntu and debian for ldap servers and clients and the install using ldapd is flawless and simple. This not working however is a show stopper from running arch
I have followed the arch wiki as well as ldap documentation and this is just not working.
i am unable to even do a getent passwd to list my ldap accounts
Offline
oh i see you gave up, well i will keep looking and put this on the back burner and go back to my debian workstation
Offline
Yep, I've given up, it was just too much time consuming.
Offline
Yep, I've given up, it was just too much time consuming.
i just found this which is the preferred method of configuring ldap, i have yet to try it but this is basically what i was looking for as is what i use for debian systems. the below should work....
https://www.archlinux.org/packages/?name=nss-pam-ldapd
http://arthurdejong.org/nss-pam-ldapd/docs.html
Last edited by LanManT (2013-09-01 07:48:45)
Offline
kellerman wrote:Yep, I've given up, it was just too much time consuming.
i just found this which is the preferred method of configuring ldap, i have yet to try it but this is basically what i was looking for as is what i use for debian systems. the below should work....
this was not correct and was the initial install packages, will try again at a later date.
Offline
There are changes in OpenLDAP also. I have Zentyal 3.0 server in production and you no longer can bind as you used to.
I remember trying your second link, but I failed.
Now I simply use likewise-open and samba4 domain combined with openldap (by default in Zentyal 3.0). Joins great to domain. Havent tried with Arch, but it should be like 99% easier.
Last edited by kellerman (2013-09-04 14:26:17)
Offline
I finally got back to this and found the LDAP client auth is working now per the instructions in the arch wiki
one thing i did notice. in my ldap.conf, i needed TLS_REQCERT allow added to search ldap.
and kellerman your nsswitch.conf should have files ldap all the way down, for all protocols
another note, at the time when i first posted it was not working i was using the SLiM greeter which might not support pam and ldap.
i have switched to lightdm and now i can login to openldap and fully test our archlinux.
Offline