You are not logged in.
I'm sure I just missed something simple somewhere, so looking for a sanity check. I'm playing around with using LDAP in my home network and while it works from ldapsearch, it looks like I screwed up the PAM integration. NSLCD is running and I'm not using NSCD. Followed https://wiki.archlinux.org/index.php/LD … ient_Setup
Working ldapsearch -
# ldapsearch -D "uid=ldap_test,cn=users,dc=aaronfitz,dc=net" -W '(objectclass=*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=aaronfitz,dc=net> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# aaronfitz.net
dn: dc=aaronfitz,dc=net
dc: aaronfitz
objectClass: domain
# users, aaronfitz.net
dn: cn=users,dc=aaronfitz,dc=net
cn: users
objectClass: organizationalRole
# groups, aaronfitz.net
dn: cn=groups,dc=aaronfitz,dc=net
cn: groups
objectClass: organizationalRole
# synoconf, aaronfitz.net
dn: cn=synoconf,dc=aaronfitz,dc=net
cn: synoconf
objectClass: organizationalRole
# MinID, synoconf, aaronfitz.net
dn: cn=MinID,cn=synoconf,dc=aaronfitz,dc=net
cn: MinID
uidNumber: 1000000
gidNumber: 1000000
objectClass: organizationalRole
objectClass: sambaUnixIdPool
# MaxID, synoconf, aaronfitz.net
dn: cn=MaxID,cn=synoconf,dc=aaronfitz,dc=net
cn: MaxID
uidNumber: 2097151
gidNumber: 2097151
objectClass: organizationalRole
objectClass: sambaUnixIdPool
# CurID, synoconf, aaronfitz.net
dn: cn=CurID,cn=synoconf,dc=aaronfitz,dc=net
cn: CurID
gidNumber: 1000003
objectClass: organizationalRole
objectClass: sambaUnixIdPool
uidNumber: 1000002
# MaxNum, synoconf, aaronfitz.net
dn: cn=MaxNum,cn=synoconf,dc=aaronfitz,dc=net
cn: MaxNum
uidNumber: 10000
gidNumber: 10000
objectClass: organizationalRole
objectClass: sambaUnixIdPool
# aaronfitz, aaronfitz.net
dn: sambaDomainName=aaronfitz,dc=aaronfitz,dc=net
sambaDomainName: aaronfitz
sambaLogonToChgPwd: 0
sambaLockoutObservationWindow: 30
sambaMaxPwdAge: -1
sambaRefuseMachinePwdChange: 0
sambaLockoutThreshold: 0
sambaMinPwdAge: 0
sambaForceLogoff: -1
sambaLockoutDuration: 30
sambaSID: S-1-5-21-1140003447-2076127115-583627103
sambaPwdHistoryLength: 0
sambaMinPwdLength: 1
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1005
# users, groups, aaronfitz.net
dn: cn=users,cn=groups,dc=aaronfitz,dc=net
objectClass: top
objectClass: posixGroup
objectClass: extensibleObject
objectClass: apple-group
objectClass: sambaGroupMapping
objectClass: sambaIdmapEntry
cn: users
gidNumber: 1000001
description: Directory default group
sambaSID: S-1-5-21-1140003447-2076127115-583627103-1000
displayName: users
sambaGroupType: 2
memberUid: ldap_test
# Directory Operators, groups, aaronfitz.net
dn: cn=Directory Operators,cn=groups,dc=aaronfitz,dc=net
objectClass: top
objectClass: posixGroup
objectClass: extensibleObject
objectClass: apple-group
objectClass: sambaGroupMapping
objectClass: sambaIdmapEntry
cn: Directory Operators
gidNumber: 1000000
description: Directory default admin group
sambaSID: S-1-5-21-1140003447-2076127115-583627103-1001
displayName: Directory Operators
sambaGroupType: 2
memberUid: admin
memberUid: ldap_test
# administrators, groups, aaronfitz.net
dn: cn=administrators,cn=groups,dc=aaronfitz,dc=net
objectClass: top
objectClass: posixGroup
objectClass: extensibleObject
objectClass: apple-group
objectClass: sambaGroupMapping
objectClass: sambaIdmapEntry
cn: administrators
gidNumber: 1000002
description: Diskstation default admin group
sambaSID: S-1-5-21-1140003447-2076127115-583627103-1002
displayName: administrators
sambaGroupType: 2
memberUid: admin
memberUid: ldap_test
# admin, users, aaronfitz.net
dn: uid=admin,cn=users,dc=aaronfitz,dc=net
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: apple-user
objectClass: sambaSamAccount
objectClass: sambaIdmapEntry
objectClass: extensibleObject
cn: admin
uid: admin
gecos: Directory/Diskstation default admin user
uidNumber: 1000000
gidNumber: 1000001
loginShell: /bin/sh
homeDirectory: /home/admin
shadowLastChange: 16082
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowExpire: -1
shadowInactive: 0
shadowFlag: 0
sn: admin
authAuthority: ;basic;
sambaSID: S-1-5-21-1140003447-2076127115-583627103-1003
sambaNTPassword: 0EC71F90E2D50E1B90DDED4A634913FF
sambaLMPassword: 1807213E53024DABA0C9D693D56248D6
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1389497215
sambaAcctFlags: [U ]
displayName: admin
# ldap_test, users, aaronfitz.net
dn: uid=ldap_test,cn=users,dc=aaronfitz,dc=net
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: apple-user
objectClass: sambaSamAccount
objectClass: sambaIdmapEntry
objectClass: extensibleObject
cn: ldap_test
uid: ldap_test
uidNumber: 1000001
gidNumber: 1000001
loginShell: /bin/sh
homeDirectory: /home/ldap_test
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowExpire: -1
shadowInactive: 0
shadowFlag: 0
sn: ldap_test
authAuthority: ;basic;
sambaSID: S-1-5-21-1140003447-2076127115-583627103-1004
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaAcctFlags: [U ]
displayName: ldap_test
sambaNTPassword: 7A21990FCD3D759941E45C490F143D5F
sambaLMPassword: AEBD4DE384C7EC43AAD3B435B51404EE
sambaPwdLastSet: 1389501399
shadowLastChange: 16082
# search result
search: 2
result: 0 Success
# numResponses: 15
# numEntries: 14
Journal output from attempted console login -
Jan 11 22:43:56 fitz_i7 login[2269]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=ldap_test
Jan 11 22:43:58 fitz_i7 login[2269]: FAILED LOGIN 1 FROM tty1 FOR ldap_test, Authentication failure
Configs -
# tail /etc/openldap/ldap.conf
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=aaronfitz,dc=net
URI ldap://192.168.1.25
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# cat /etc/nsswitch.conf
# Begin /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
publickey: files
hosts: files dns myhostname
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: files
# End /etc/nsswitch.conf
# cat /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://192.168.1.25/
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
base dc=aaronfitz,dc=net
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
#scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group member msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group member posixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map passwd uid cn
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd homeDirectory "/home/$cn"
#map passwd gecos displayName
#map passwd loginShell "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group gidNumber gid
validnames /^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i
# cat /etc/pam.d/system-auth
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account sufficient pam_ldap.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password sufficient pam_ldap.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_permit.so
# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_ldap.so
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_unix.so
# cat /etc/pam.d/su-l
#%PAM-1.0
auth sufficient pam_ldap.so
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_unix.so
[root@fitz_i7 aaron]# cat /etc/pam.d/passwd
#%PAM-1.0
password sufficient pam_ldap.so
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password required pam_unix.so sha512 shadow use_authtok
password required pam_unix.so sha512 shadow nullok
Offline