Debian – pam_unix(sshd:auth): authentication failure

debianopenldap

i have openldap and server Debian 8. i want set ldap authentication. i install ldap-utils libnss-ldapd libpam-ldapd and set them.

# getent passwd user.name
user.name:x:1537:3174:User Name:/home/user.name:/bin/bash
# getent shadow user.name
user.name:*:15140:0:99999:7:::0

when i login i have error:

Sep 19 17:49:49 LDAPClient login[475]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=name.user
Sep 19 17:49:49 LDAPClient login[475]: pam_ldap(login:auth): Authentication failure; user=name.user`
Sep 19 17:49:53 LDAPClient login[475]: FAILED LOGIN (1) on '/dev/tty1' FOR 'name.user', Authentication failure`

i also set ssh, but have same error:

Sep 19 17:46:37 LDAPClient sshd[807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.60.92  user=name.user
Sep 19 17:46:37 LDAPClient sshd[807]: pam_ldap(sshd:auth): Authentication failure; user=name.user
Sep 19 17:46:39 LDAPClient sshd[807]: Failed password for name.user from 192.168.60.92 port 63122 ssh2
Sep 19 17:46:43 LDAPClient sshd[807]: pam_ldap(sshd:auth): Authentication failure; user=name.user
Sep 19 17:46:45 LDAPClient sshd[807]: Failed password for name.user from 192.168.60.92 port 63122 ssh2

How to fix it? I don't have idea:(

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

the problem was in acl:

olcAccess: {2}to dn.subtree="ou=People,dc=example,dc=com"
  by peername.ip="192.168.250.78" read
  by peername.ip="xx.xx.xx.xx" read
  by peername.ip="192.168.250.204" read
  by dn="cn=replica,dc=example,dc=com" read
  by group.exact="cn=Directory Administrators,dc=example,dc=com" manage
  by dn.subtree="ou=Special Users,dc=example,dc=com" read
  by dn.subtree="ou=Special Users,dc=example,dc=com" read
  !!!by * none

olcAccess: {5}to *
  by peername.ip="xx.xx.xx.xx" read
  by peername.ip="192.168.250.204" read
  by group.exact="cn=Directory Administrators,dc=example,dc=com" manage
  by dn="cn=admin,dc=example,dc=com" write
  by dn="cn=replica,dc=example,dc=com" read
  by dn.subtree="ou=Special Users,dc=example,dc=com" read
  !!!by * none

Best Answer

If you check your shadow you have not set a password for you account. user.name:*:15140:0:99999:7:::0 ---- * means no password.

The system does not allow no password login.

TRY to create a password for your account and retry to login

Related Solutions

Logging authentication failure on OpenLDAP

Authentication failure is logged with err=49 - Invalid Credential at default loglevel 256 - (0x100 stats) stats log connections/operations/results:

$ grep 'err=49' -B1 /path/to/ldap.log
slapd[28269]: conn=83767 op=2 BIND dn="cn=x,ou=y,dc=z,dc=t" method=128
slapd[28269]: conn=83767 op=2 RESULT tag=97 err=49 text=

Ldap – PAM: auth: pam_unix(dovecot:auth): authentication failure;

I do hate to revive a dead question but given that this is the top search result for "dovecot pam authentication failure ldap", let me add this bit of extra knowledge:

The only thing that I've seen in my testing that updates the shadowAccount attributes is the passwd command when you're modifying the password for a user in LDAP... Most other tools don't care much about the shadowAccount class and it's attributes, and won't touch them. However, I only find that shadowAccount classes need to be added to users if they're going to be logging into the host, since that does care. If you're just doing something like email authentication (Dovecot), then it's not much use. I could be wrong here, but I've yet to see anything other than a host login consult the shadowAccount attributes for anything.

Now, if you're having Dovecot authenticate through PAM (which, I assume you probably are, since Dovecot is querying it and you're changing nsswitch), then please bear in mind that while, yes, PAM will pay attention to those extra attributes, you still need the correct tooling to change them... meaning whatever is changing user passwords also needs to go through PAM. Unpopular opinion as it may be, if you're not requiring host logins, just services like Dovecot or others, there's no need to get PAM involved since it's going to be checking a lot more things that are likely going to be irrelevant. (At best it could enforce other things like, yes, password expirations, but personally I would not enforce things like that when the service you login to has no provision to change a password like that) It's likely easier in the long run to have non-host/shell login services check LDAP themselves, allowing for other things like search filters specific to that service.

However assuming you've set up Dovecot to check LDAP itself, and not rely on PAM, at the end of Dovecot's 10-auth.conf are a list of !include lines for different auth mechanisms, like LDAP, SQL, etc. By default, the file auth-system.conf.ext is included before other mechanisms, like LDAP. What this means is that, since, in my testing, Dovecot checks these in the order they're provided, Dovecot will first attempt to authenticate the user with PAM, and then, if that fails, authenticate with LDAP. Ergo, you'll get a PAM error stating, yes, the authentication failure (as well as the first one indicating what failure it is). If you changed this ordering so the method most likely to succeed (LDAP, one would assume) is queried first, then there would be no need to check with PAM, and, therefore, no error thrown by PAM.

To solve this you could comment out the !include auth-system.conf.ext, but this could potentically cause system users (like root or postmaster) to be considered non-existent if you don't have them set up in LDAP.

My personal solution to this one was to cut that line out and paste it at the bottom, like this:

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-ldap.conf.ext

#!include auth-sql.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

!include auth-system.conf.ext

This means that Dovecot will first consult LDAP, then consult PAM if LDAP gave no results, as far as my testing has shown.

Best Answer

Related Solutions

Logging authentication failure on OpenLDAP

Ldap – PAM: auth: pam_unix(dovecot:auth): authentication failure;

Related Topic