--- "Tay, Gary" a écrit :
> If you suspect pam_ldap, show us the
> /etc/nsswitch.conf and /etc/pam.d/system-auth and/or
> /etc/pam.d/sshd.
>

================================================== ====
Here is my slapd.conf file content:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include
/etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema


# Allow LDAPv2 client connections. This is NOT the
default.
allow bind_v2

# Do not enable referrals until AFTER you have a
working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/slapd.pid
#argsfile //var/run/slapd.args

access to attr=userPassword
by self write
by * auth
access to dn="ou=users,dc=example,dc=com"
by self write
by dn="cn=nssldap,ou=DSA,dc=example,dc=com" read
by users auth
by anonymous read
access to * by self write
by * read

################################################## #####################
# ldbm and/or bdb database definitions
################################################## #####################

database ldbm
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}Cu0mazfs7JKjmJaCrZQszD1G7ijRpIKO

# The database directory MUST exist prior to running
slapd AND
# should only be accessible by the slapd and slap
tools.
# Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaDomainName,sambaPrimaryGroupSID
eq
================================================== ====
/etc/pam.d/sshd

#%PAM-1.0
auth required pam_stack.so
service=system-auth
auth required pam_nologin.so
account required pam_stack.so
service=system-auth
password required pam_stack.so
service=system-auth
session required pam_stack.so
service=system-auth
session required pam_limits.so
session optional pam_console.so
================================================== ====

> pam_ldap works with nss_ldap, also show
> /etc/ldap.conf.


And this is my /etc/ldap.conf file:

# Your LDAP server. Must be resolvable without using
LDAP.
host 127.0.0.1

# The distinguished name of the search base.
base dc=example,dc=com

# Another way to specify your LDAP server is to
provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP
Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory
separator

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=exampleuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=nssldap,ou=DSA,dc=example,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=example,dc=com?one
#nss_base_shadow ou=People,dc=example,dc=com?one
#nss_base_group ou=Group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group ou=groups,dc=example,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass
mapped_objectclass

# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member

# configure --enable-mssfu-schema is no longer
supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer
supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds

# For IBM SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS
typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer
is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client
authentication.
#tls_cert
#tls_key
ssl no
pam_password md5
================================================== ====

So, whad may you suggest please?

Thank you a lot for your help.


> -----Original Message-----
> From: fatima riadi [mailto:ftmriadi@yahoo.fr]
> Sent: Mon 3/21/2005 8:01 PM
> To: Tay, Gary
> Cc:
> Subject: RE: Re: ssh connection to an ldap server
>
>
>
> Hi,
>
> Thank you Gary for your reply.
>
> I added ACLs you suggested me. However, the problem
> could not be resolved.
>
> I checked my /var/log/messages file, it shows:
> sshd(pam_unix)[1574]: check pass; user unknown
> sshd(pam_unix)[1574]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=my_srv
> sshd[1574]: pam_ldap: error trying to bind
> (Server
> is unwilling to perform)
>
> So, I think that the problem is related to
> pam_ldap.
>
> You would have any suggestion, please, let me know.
>
> Regards
>
> --- "Tay, Gary" a écrit :
> > I think this may be due to the non-existence of
> > ACLs.
> >
> > Try adding these to slapd.conf and restarting
> slapd
> > after that:
> >
> > access to attr=userPassword
> > by self write
> > by * auth
> > access to dn="ou=People,dc=example,dc=com"
> > by self write
> > by
> > dn="cn=proxyagent,ou=profile,dc=example,dc=com"
> read
> > by users auth
> > by anonymous read
> > access to * by self write
> > by * read
> >
> > You may find my HOWTO useful:
> > http://web.singnet.com.sg/~garyttt/
> >
> > Gary
> >
> > -----Original Message-----
> > From: fatima riadi [mailto:ftmriadi@yahoo.fr]
> > Sent: Saturday, March 19, 2005 4:08 AM
> > To: secureshell@securityfocus.com
> > Subject: Re: Re: ssh connection to an ldap server
> >
> >
> > Hello,
> >
> > I am using OpenSSH_3.5p1, SSH protocols 1.5/2.0,
> > OpenSSL 0x0090701f on a Linux Red Hat 9.0 server.
> >
> > here is a debug output of a failed connection:
> >
> > [root@SrvRedHat downloads]# ssh -vvv
> > testuser@localhost
> > OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL
> > 0x0090701f
> > debug1: Reading configuration data
> > /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug1: Rhosts Authentication disabled,
> originating
> > port will not be trusted.
> > debug1: ssh_connect: needpriv 0
> > debug1: Connecting to localhost [127.0.0.1] port
> 22.
> > debug1: Connection established.
> > debug1: identity file /root/.ssh/identity type -1
> > debug1: identity file /root/.ssh/id_rsa type -1
> > debug1: identity file /root/.ssh/id_dsa type -1
> > debug1: Remote protocol version 1.99, remote
> > software
> > version OpenSSH_3.5p1
> > debug1: match: OpenSSH_3.5p1 pat OpenSSH*
> > debug1: Enabling compatibility mode for protocol
> 2.0
> > debug1: Local version string
> SSH-2.0-OpenSSH_3.5p1
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: kex_parse_kexinit:
> >
>
>

diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> >
>
>

aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit:
> >
>
>

aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit:
> >
>
>

hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit:
> >
>
>

hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: kex_parse_kexinit:
> >
>
>

diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> >
>
>

aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit:
> >
>
>

aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit:
> >
>
>

hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit:
> >
>
>

hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: mac_init: found hmac-md5
> > debug1: kex: server->client aes128-cbc hmac-md5
> none
> > debug2: mac_init: found hmac-md5
> > debug1: kex: client->server aes128-cbc hmac-md5
> none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug1: dh_gen_key: priv key bits set: 151/256
> > debug1: bits set: 1626/3191
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug3: check_host_in_hostfile: filename
> > /root/.ssh/known_hosts
> > debug3: check_host_in_hostfile: match line 1
> > debug1: Host 'localhost' is known and matches the
> > RSA
> > host key.
> > debug1: Found key in /root/.ssh/known_hosts:1
> > debug1: bits set: 1606/3191
> > debug1: ssh_rsa_verify: signature correct
> > debug1: kex_derive_keys
> > debug1: newkeys: mode 1
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: waiting for SSH2_MSG_NEWKEYS
> > debug1: newkeys: mode 0
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: done: ssh_kex2.
> > debug1: send SSH2_MSG_SERVICE_REQUEST
> > debug1: service_accept: ssh-userauth
> > debug1: got SSH2_MSG_SERVICE_ACCEPT
> > debug1: authentications that can continue:
> > publickey,password,keyboard-interactive
> > debug3: start over, passed a different list
> > publickey,password,keyboard-interactive
> > debug3: preferred
> > publickey,keyboard-interactive,password
> > debug3: authmethod_lookup publickey
> > debug3: remaining preferred:
>

=== message truncated ===






Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/