[389-users] Documentation for pam pass

Rich Megginson rmeggins at redhat.com
Tue Mar 30 17:52:39 UTC 2010 

Techie wrote:
> On Fri, Mar 26, 2010 at 2:55 PM, Techie <techchavez at gmail.com> wrote:
>   
>> 2010/3/26 Prashanth Sundaram <psundaram at wgen.net>:
>>     
>>> Hi,
>>>
>>> Here’s how my PAM PTA looks like. But id on;t think it is of much use.
>>>
>>> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
>>> nsslapd-pluginEnabled: on
>>> pamSecure: FALSE
>>> pamExcludeSuffix: o=NetscapeRoot
>>> pamExcludeSuffix: cn=config
>>>       
>> Thanks again,
>> My file looks like yours except I have pamSecure because I need that
>> layer of security. It works with the krb Pass through. I have disabled
>> it for testing(secure that is) to try passing through to LDAP.
>>     
>>> I don’t think the PTA will work against some other attribute which has same
>>> value as ‘uid’. You may have to hack the filters under the hood to be able
>>> to achieve that.
>>>       
>> Well supposedly the pam_login_attribute can be passed through the
>> config files to the correct attribute. This is according to the PAM
>> PTA docs unless I have misunderstood.
>>     
>>> My first guess:
>>> If you use PAM-PTA, you still need some PAM module to specify the stack to
>>> be used for PTA. So you need ‘ldapserver01’ file enabled and there you
>>> define the translation of uid attribute to new attribute. I don’t know if
>>> this is do-able.
>>>       
>> I am using ldapserver as the service file , in this I have pam_ldap as
>> the auth module pointing to a config file that specifies the attribute
>> map.(See below)
>>     
>>> Can you post some logs, which will tell where the block is. How are you
>>> specifying the master ldap server(server to authenticate)?
>>>       
>> Here is the failing block for PAM PTA..Looks like PAMS misconfigured
>> but looks right.
>> pam_passthru-plugin - => pam_passthru_bindpreop
>> pam_passthru-plugin - pam msg [0] = 1 Password:
>> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
>> Permission denied)
>> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
>> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
>> pam_passthru-plugin - <= handled (error 1 - Operations error)
>>
>>
>> In the ldapserver service file, I use the config=/pathtofile arg to
>> pam_ldap.so that points to a specific ldap.conf config file for this
>> action. In that I put the hostname, the port, the  pam_login_attribute
>> etc...I have also tried putting the master server params in the
>> /etc/ldap.conf instead of a config file.
>>
>> Looks like this
>> auth    sufficient  /lib/security/pam_ldap.so  config=/pathtoldap.conf
>> account  optional    /lib/security/pam_ldap.so
>>
>>
>> (error 1- operations error) is vague..Need it more verbose than this,
>> I will have to try logging more.
>>
>> There does not appear to be a pluginarg attribute like with the PTA
>> plugin that allows you to specify the LDAP URL so I am not sure how to
>> specify the destination server using PAM PTA..The doc says to use the
>> pam service file which is why I tried what I did above.
>>
>> I would like to know if anyone is familiar with the code and can tell
>> me if the service file (ldapserver)can hold ldap.conf like params or
>> is it merely for specifying auth, account, session, and password
>> parameters?
>>
>> Thanks again
>>
>>     
>>> -Prashanth
>>>
>>> ----------------------------
>>> Hey thanks man.
>>>
>>> I have PAM PTA  with krb working fine as well..
>>> However..I am trying to pass through to another LDAP server, how can i
>>> go about doing that? The base of the tree on the other LDAP server is
>>> different i want to use it to authenticate the accounts. The other
>>> tree has the equivalent of the uid attribute in a different attribute.
>>> I think my service file (ldapserver) is off.  Anyone have PAM PTA to
>>> another LDAP server working? An example perhaps?
>>> I am getting operations errors trying to use PAM PTA. I know the
>>> passwords are correct so I am doing something incorrectly.
>>>
>>> pam_passthru-plugin - => pam_passthru_bindpreop
>>> pam_passthru-plugin - pam msg [0] = 1 Password:
>>> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
>>> Permission denied)
>>> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
>>> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
>>>  pam_passthru-plugin - <= handled (error 1 - Operations error)
>>>
>>> Thanks again
>>>       
>
> Let me try one last time here..
> I am trying to Pam Pass through auth from one FDS server to
> another..So basically use a remote server for only auth info similar
> to a kerberos pass through, but use the account info from the local
> ldap server.. This is what PAM PTA does with kerberos, I just want to
> use another LDAP server as the authentication source instead of
> kerberos. This has proven difficult to do.
> I have read the documentaion on PTA and PAM PTA. I have tried various
> things to get this going. Does not seem to want to cooperate.
>
> Firstly I have two FDS servers..one that has my account info or
> authorization info for the users. And then I have an existing LDAP
> server with the password information that I want to use for
> authenticating..The RDN is the same so I just want to pass through the
> password similar to PAM PTA with Kerberos. I cannot get this to work..
>
> My question:  is it possible to pass through authentication to LDAP
> instead of Kerberos with 389?
>
> Secondly I have tried using the PTA plugin (not PAM PTA) by setting
> the ldap url and suffix in the pluginarg attribute of the local server
> with the LDAP accounts..The pluginarg url contains the url of the LDAP
> server with the authentication info I need. (The RDNs are the same on
> each server) This works to a point. I can bind to the local LDAP
> server with the credentials belonging the suffix I specify in the
> pluginarg attribute of the PTA plugin. I can search the directory with
> this method..  However I cannot use this method in a ssh session or
> desktop session to login to a client workstation.
>
> My question: Is it possible to strictly use the PTA plugin to grab
> authentication credentials from the remote LDAP server specified in
> pluginarg and use the account/authorization of the local ldap server
> to facilitae login sessions?
>   
No.  With regular pta (that is, not pam pta) none of the data can exist 
on the local machine.  pta was not designed for the purpose you describe.

pam pta going through pam ldap probably won't work either, because 389 
uses mozldap and pam_ldap uses openldap, and the two APIs cannot exist 
in the same process space.

If you're feeling adventurous, you could attempt to build 389-ds-base 
with openldap, but some of the SSL stuff won't work, neither will some 
of the LDIF processing (which might be a non-starter for you).
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list