Problem Overview
Solaris 11 has been configured to use pam_ldap to authenticate users against an LDAP v3-compliant directory server. The Solaris host is only configured to use LDAP for authentication; it is not configured to use LDAP as a naming service.
When a valid user attempts to ssh to the Solaris host, the pam_ldap module submits a BIND request to the LDAP server and gets a response of success. However, Solaris still denies the user access.
Problem to solve: How can I complete my PAM configuration to allow users to authenticate to the Solaris host via ssh by using their LDAP identities?
The user is a valid user that exists both on the host (in the /etc/passwd and /etc/shadow files,) and on LDAP. The account is not locked on LDAP, and the user can properly authentication (BIND) to LDAP:
$ldapsearch -h <REMOVED> -p 389 -b ou=people,o=som,dc=com -D "uid=testuser,ou=people,o=som,dc=com" -W uid=testuser LDAP Password:
dn: uid=testuser,ou=People,o=som,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowInactive: 7
loginShell: /bin/bash
uidNumber: 1176
homeDirectory: /home/testuser
gecos: Test User
gidnumber: 501
shadowmax: 91
shadowmin: 7
shadowwarning: 28
userpassword:: <REMOVED>
shadowflag: 22352
shadowlastchange: 16115
Debugging Information
From the LDAP Server, you can see the user successfully authenticated:
Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:59874--connectionID: 88496--received: 2014-02-17-10:53:02.324-5:00--Success
base: ou=people,o=som,dc=com
scope: singleLevel
derefAliases: derefAlways
typesOnly: false
filter: (&(objectclass=SOLARISUSERATTR)(uid=testuser))
attributes: uid, SolarisUserQualifier, SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrKeyValue
numberOfEntriesReturned: 0
AuditV3--2014-02-17-10:53:02.332-5:00--V3 Bind--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:22262--connectionID: 103359--received: 2014-02-17-10:53:02.332-5:00--Success
name: cn=proxyAgent,ou=Profile,o=som,dc=com
authenticationChoice: simple
Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:22262--connectionID: 103359--received: 2014-02-17-10:53:02.333-5:00--Success
base: ou=people,o=som,dc=com
scope: singleLevel
derefAliases: derefAlways
typesOnly: false
filter: (&(objectclass=POSIXACCOUNT)(uid=testuser))
numberOfEntriesReturned: 1
**Bind--bindDN: uid=testuser,ou=People,o=som,dc=com--client: <REMOVED>:12241--connectionID: 103360--received: 2014-02-17-10:53:02.335-5:00--Success
name: uid=testuser,ou=People,o=som,dc=com
authenticationChoice: simple**
Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:59874--connectionID: 88496--received: 2014-02-17-10:53:02.985-5:00--Success
base: ou=people,o=som,dc=com
scope: singleLevel
derefAliases: derefAlways
typesOnly: false
filter: (&(objectclass=POSIXACCOUNT)(uidnumber=10011))
attributes: cn, uid, uidNumber, gidNumber, gecos, description, homeDirectory, loginShell
numberOfEntriesReturned: 1
Logging on the Solaris host client shows that the PAM LDAP module submitted the user's credentials. Yet, while the LDAP server returned a success on the BIND operation, Solaris reports authentication failed. Note the use of sshd-kbdinit:
[auth.info] reprocess config line 160: ignoring RhostsRSAAuthentication option value. SSHv1 protocol is no longer supported in the server, please remove the option.
[auth.info] reprocess config line 167: ignoring RSAAuthentication option value. SSHv1 protocol is no longer supported in the server, please remove the option.
[auth.notice] Failed none for test user from <REMOVED> port 54650 ssh2
[auth.debug] ldap pam_sm_authenticate(sshd-kbdint testuser), flags = 1
[auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
[auth.notice] Failed keyboard-interactive for test user from <REMOVED> port 54650 ssh2
[auth.info] Connection closed by <REMOVED>
Configuration Details
Solaris Host Client
/etc/ssh/sshd_config
Protocol 2
Port 22
ListenAddress ::
AllowTcpForwarding no
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
MaxStartups 30:60:120
Banner /etc/issue
PrintMotd no
KeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 60
SyslogFacility auth
LogLevel info
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 600
MaxAuthTries 3
MaxAuthTriesLog 0
PermitEmptyPasswords no
PasswordAuthentication yes
PAMAuthenticationViaKBDInt yes
PermitRootLogin yes
Subsystem sftp /usr/lib/ssh/sftp-server
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
KbdInteractiveAuthentication yes
ldapclient utilizes an ldapclient profile from the server.
$ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyAgent,ou=Profile,o=som,dc=com
NS_LDAP_BINDPASSWD= <REMOVED>
NS_LDAP_SERVERS= HOST1-IP:389, HOST2-IP:389
NS_LDAP_SEARCH_BASEDN= o=som,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SERVER_PREF= HOST1:389, HOST2:389
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,o=som,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=people,o=som,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,o=som,dc=com?sub
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
NS_LDAP_ENABLE_SHADOW_UPDATE= TRUE
pam.conf and pam.d/service
/etc/pam.conf (Only the relevant parts are shown)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1 debug
login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1 debug
/etc/pam.d/login (Only the relevant parts are shown)
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth binding pam_unix_auth.so.1 server_policy
auth required pam_ldap.so.1 debug
auth required pam_dial_auth.so.1
/etc/pam.d/other (Only the relevant parts are shown)
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth binding pam_unix_auth.so.1 server_policy
auth required pam_ldap.so.1 debug
nsswitch.conf (nsswitch.conf was modified by using svccfg, resulting in the following nsswitch.conf file)
passwd: files ldap
group: files ldap
hosts: files [SUCCESS=return] dns
ipnodes: files [SUCCESS=return] dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
project: files
auth_attr: files
prof_attr: files
tnrhtp: files
tnrhdb: files
sudoers: files
LDAP Server
This host acts as a client to a Tivoli Directory Server v 6.3 (ITDS). Assume all proper schema modifications have been made. (I've added all necessary RFC2307bis, NIS and Solaris schema elements to ITDS.)
