[389-users] Documentation for pam pass

[Techie]

On Fri, Mar 26, 2010 at 2:55 PM, Techie <techchavez at gmail.com> wrote:
> 2010/3/26 Prashanth Sundaram <psundaram at wgen.net>:
>>
>> Hi,
>>
>> Here’s how my PAM PTA looks like. But id on;t think it is of much use.
>>
>> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
>> nsslapd-pluginEnabled: on
>> pamSecure: FALSE
>> pamExcludeSuffix: o=NetscapeRoot
>> pamExcludeSuffix: cn=config
> Thanks again,
> My file looks like yours except I have pamSecure because I need that
> layer of security. It works with the krb Pass through. I have disabled
> it for testing(secure that is) to try passing through to LDAP.
>>
>> I don’t think the PTA will work against some other attribute which has same
>> value as ‘uid’. You may have to hack the filters under the hood to be able
>> to achieve that.
> Well supposedly the pam_login_attribute can be passed through the
> config files to the correct attribute. This is according to the PAM
> PTA docs unless I have misunderstood.
>>
>> My first guess:
>> If you use PAM-PTA, you still need some PAM module to specify the stack to
>> be used for PTA. So you need ‘ldapserver01’ file enabled and there you
>> define the translation of uid attribute to new attribute. I don’t know if
>> this is do-able.
> I am using ldapserver as the service file , in this I have pam_ldap as
> the auth module pointing to a config file that specifies the attribute
> map.(See below)
>>
>> Can you post some logs, which will tell where the block is. How are you
>> specifying the master ldap server(server to authenticate)?
> Here is the failing block for PAM PTA..Looks like PAMS misconfigured
> but looks right.
> pam_passthru-plugin - => pam_passthru_bindpreop
> pam_passthru-plugin - pam msg [0] = 1 Password:
> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
> Permission denied)
> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
> pam_passthru-plugin - <= handled (error 1 - Operations error)
>
>
> In the ldapserver service file, I use the config=/pathtofile arg to
> pam_ldap.so that points to a specific ldap.conf config file for this
> action. In that I put the hostname, the port, the  pam_login_attribute
> etc...I have also tried putting the master server params in the
> /etc/ldap.conf instead of a config file.
>
> Looks like this
> auth    sufficient  /lib/security/pam_ldap.so  config=/pathtoldap.conf
> account  optional    /lib/security/pam_ldap.so
>
>
> (error 1- operations error) is vague..Need it more verbose than this,
> I will have to try logging more.
>
> There does not appear to be a pluginarg attribute like with the PTA
> plugin that allows you to specify the LDAP URL so I am not sure how to
> specify the destination server using PAM PTA..The doc says to use the
> pam service file which is why I tried what I did above.
>
> I would like to know if anyone is familiar with the code and can tell
> me if the service file (ldapserver)can hold ldap.conf like params or
> is it merely for specifying auth, account, session, and password
> parameters?
>
> Thanks again
>
>>
>> -Prashanth
>>
>> ----------------------------
>> Hey thanks man.
>>
>> I have PAM PTA  with krb working fine as well..
>> However..I am trying to pass through to another LDAP server, how can i
>> go about doing that? The base of the tree on the other LDAP server is
>> different i want to use it to authenticate the accounts. The other
>> tree has the equivalent of the uid attribute in a different attribute.
>> I think my service file (ldapserver) is off.  Anyone have PAM PTA to
>> another LDAP server working? An example perhaps?
>> I am getting operations errors trying to use PAM PTA. I know the
>> passwords are correct so I am doing something incorrectly.
>>
>> pam_passthru-plugin - => pam_passthru_bindpreop
>> pam_passthru-plugin - pam msg [0] = 1 Password:
>> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
>> Permission denied)
>> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
>> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
>>  pam_passthru-plugin - <= handled (error 1 - Operations error)
>>
>> Thanks again

Let me try one last time here..
I am trying to Pam Pass through auth from one FDS server to
another..So basically use a remote server for only auth info similar
to a kerberos pass through, but use the account info from the local
ldap server.. This is what PAM PTA does with kerberos, I just want to
use another LDAP server as the authentication source instead of
kerberos. This has proven difficult to do.
I have read the documentaion on PTA and PAM PTA. I have tried various
things to get this going. Does not seem to want to cooperate.

Firstly I have two FDS servers..one that has my account info or
authorization info for the users. And then I have an existing LDAP
server with the password information that I want to use for
authenticating..The RDN is the same so I just want to pass through the
password similar to PAM PTA with Kerberos. I cannot get this to work..

My question:  is it possible to pass through authentication to LDAP
instead of Kerberos with 389?

Secondly I have tried using the PTA plugin (not PAM PTA) by setting
the ldap url and suffix in the pluginarg attribute of the local server
with the LDAP accounts..The pluginarg url contains the url of the LDAP
server with the authentication info I need. (The RDNs are the same on
each server) This works to a point. I can bind to the local LDAP
server with the credentials belonging the suffix I specify in the
pluginarg attribute of the PTA plugin. I can search the directory with
this method..  However I cannot use this method in a ssh session or
desktop session to login to a client workstation.

My question: Is it possible to strictly use the PTA plugin to grab
authentication credentials from the remote LDAP server specified in
pluginarg and use the account/authorization of the local ldap server
to facilitae login sessions?
>