Bonjour à tous,
Je vous expose mon souci,
Je mets en place une authentification via openldap sur mon architecture unix (AIX) - linux (CentOS)
Le serveur ldap est une CentOS (dsl pas le choix) lol
Je configure mon serveur
ldap : slapd & ldap.conf => tout fonctionne bien
je configure mon ssh : UsePAM yes
je configure mon /etc/pam.d/system-auth :
Code :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so |
je configure le /etc/nsswitch.conf :
Code :
1
2
3
| passwd: files ldap
shadow: files ldap
group: files ldap |
J'ai créé un compte standard : SKN55051
je procède a la migration via les outils ldap fourni
configure le fichier qui vont bien ...
Supprime mon user SKN55051 de /etc/passwd
J'importe les ldif crées via ldapadd sans souci
mon serveur ldap est redémarré, ssh aussi ,
enfin je fais (je pense tout ce qui va bien).
Mais impossible de m'identifier via se maudit ldap :
secure.log :
Code :
1
2
3
4
| Jan 20 11:06:55 ldapsrv sshd[10228]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 11:06:55 ldapsrv sshd[10228]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXX.XXX.XXX.125
Jan 20 11:06:55 ldapsrv sshd[10228]: pam_succeed_if(sshd:auth): error retrieving information about user SKN55051
Jan 20 11:06:57 ldapsrv sshd[10228]: Failed password for invalid user SKN55051 from XXX.XXX.XXX.125 port 1163 ssh2 |
audit.log :
Code :
1
2
3
4
5
| type=CRYPTO_SESSION msg=audit(1327054008.204:882): user pid=10228 uid=0 auid=0 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 rport=1163 laddr=xxx.xxx.xxx.210 lport=22 id=4294967295 exe="/usr/sbin/sshd" (hostname=?, addr=XXX.XXX.XXX.125, terminal=? res=success)'
type=CRYPTO_SESSION msg=audit(1327054008.205:883): user pid=10228 uid=0 auid=0 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 rport=1163 laddr=xxx.xxx.xxx.210 lport=22 id=4294967295 exe="/usr/sbin/sshd" (hostname=?, addr=XXX.XXX.XXX.125, terminal=? res=success)'
type=USER_LOGIN msg=audit(1327054013.125:884): user pid=10228 uid=0 auid=0 msg='acct="SKN55051": exe="/usr/sbin/sshd" (hostname=?, addr=XXX.XXX.XXX.125, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1327054017.219:885): user pid=10228 uid=0 auid=0 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=XXX.XXX.XXX.125, addr=XXX.XXX.XXX.125, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1327054017.219:886): user pid=10228 uid=0 auid=0 msg='acct="SKN55051": exe="/usr/sbin/sshd" (hostname=?, addr=XXX.XXX.XXX.125, terminal=sshd res=failed)' |
ldap.log :
Code :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| Jan 20 11:06:53 ldapsrv slapd[10120]: conn=2 fd=14 ACCEPT from IP=xxx.xxx.xxx.210:56077 (IP=xxx.xxx.xxx.210:389)
Jan 20 11:06:53 ldapsrv slapd[10120]: conn=2 op=0 BIND dn="" method=128
Jan 20 11:06:53 ldapsrv slapd[10120]: conn=2 op=0 RESULT tag=97 err=0 text=
Jan 20 11:06:53 ldapsrv slapd[10120]: conn=2 op=1 SRCH base="ou=People,dc=mondc" scope=1 deref=0 filter="(&(?=undefined)(uid=skn55051))"
Jan 20 11:06:53 ldapsrv slapd[10120]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jan 20 11:06:53 ldapsrv slapd[10120]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jan 20 11:06:55 ldapsrv slapd[10120]: conn=2 op=2 SRCH base="ou=People,dc=mondc" scope=1 deref=0 filter="(&(?=undefined)(uid=skn55051))"
Jan 20 11:06:55 ldapsrv slapd[10120]: conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jan 20 11:06:55 ldapsrv slapd[10120]: conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jan 20 11:06:55 ldapsrv slapd[10120]: conn=2 op=3 SRCH base="ou=People,dc=mondc" scope=1 deref=0 filter="(&(?=undefined)(uid=skn55051))"
Jan 20 11:06:55 ldapsrv slapd[10120]: conn=2 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jan 20 11:06:55 ldapsrv slapd[10120]: conn=2 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jan 20 11:06:58 ldapsrv slapd[10120]: conn=0 op=5 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jan 20 11:06:58 ldapsrv slapd[10120]: conn=0 op=5 SRCH attr=ibm-servertype
Jan 20 11:06:58 ldapsrv slapd[10120]: conn=0 op=5 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jan 20 11:08:47 ldapsrv slapd[10120]: conn=2 fd=14 closed (connection lost)
Jan 20 11:11:58 ldapsrv slapd[10120]: conn=0 op=6 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jan 20 11:11:58 ldapsrv slapd[10120]: conn=0 op=6 SRCH attr=ibm-servertype
Jan 20 11:11:58 ldapsrv slapd[10120]: conn=0 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text= |
Auriez vous une idée... ?
Car là je commence à sécher
Bien cordialement
20/01/2012, 11h21
Stéphane 
Connexion via LDAP via CentOS 5
00
