Problem Overview
Solaris 11 has been configured to use pam_ldap to authenticate users against an LDAP v3-compliant directory server. The Solaris host is only configured to use LDAP for authentication; it is not configured to use LDAP as a naming service.
When a valid user attempts to ssh to the Solaris host, the pam_ldap module submits a BIND request to the LDAP server and gets a response of success. However, Solaris still denies the user access.
Problem to solve: How can I complete my PAM configuration to allow users to authenticate to the Solaris host via ssh by using their LDAP identities?
The user is a valid user that exists both on the host (in the /etc/passwd and /etc/shadow files,) and on LDAP. The account is not locked on LDAP, and the user can properly authentication (BIND) to LDAP:
$ldapsearch -h <REMOVED> -p 389 -b ou=people,o=som,dc=com -D "uid=testuser,ou=people,o=som,dc=com" -W uid=testuser LDAP Password:
dn: uid=testuser,ou=People,o=som,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowInactive: 7
loginShell: /bin/bash
uidNumber: 1176
homeDirectory: /home/testuser
gecos: Test User
gidnumber: 501
shadowmax: 91
shadowmin: 7
shadowwarning: 28
userpassword:: <REMOVED>
shadowflag: 22352
shadowlastchange: 16115
Debugging Information
From the LDAP Server, you can see the user successfully authenticated:
Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:59874--connectionID: 88496--received: 2014-02-17-10:53:02.324-5:00--Success
base: ou=people,o=som,dc=com
scope: singleLevel
derefAliases: derefAlways
typesOnly: false
filter: (&(objectclass=SOLARISUSERATTR)(uid=testuser))
attributes: uid, SolarisUserQualifier, SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrKeyValue
numberOfEntriesReturned: 0
AuditV3--2014-02-17-10:53:02.332-5:00--V3 Bind--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:22262--connectionID: 103359--received: 2014-02-17-10:53:02.332-5:00--Success
name: cn=proxyAgent,ou=Profile,o=som,dc=com
authenticationChoice: simple
Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:22262--connectionID: 103359--received: 2014-02-17-10:53:02.333-5:00--Success
base: ou=people,o=som,dc=com
scope: singleLevel
derefAliases: derefAlways
typesOnly: false
filter: (&(objectclass=POSIXACCOUNT)(uid=testuser))
numberOfEntriesReturned: 1
**Bind--bindDN: uid=testuser,ou=People,o=som,dc=com--client: <REMOVED>:12241--connectionID: 103360--received: 2014-02-17-10:53:02.335-5:00--Success
name: uid=testuser,ou=People,o=som,dc=com
authenticationChoice: simple**
Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:59874--connectionID: 88496--received: 2014-02-17-10:53:02.985-5:00--Success
base: ou=people,o=som,dc=com
scope: singleLevel
derefAliases: derefAlways
typesOnly: false
filter: (&(objectclass=POSIXACCOUNT)(uidnumber=10011))
attributes: cn, uid, uidNumber, gidNumber, gecos, description, homeDirectory, loginShell
numberOfEntriesReturned: 1
Logging on the Solaris host client shows that the PAM LDAP module submitted the user's credentials. Yet, while the LDAP server returned a success on the BIND operation, Solaris reports authentication failed. Note the use of sshd-kbdinit:
[auth.info] reprocess config line 160: ignoring RhostsRSAAuthentication option value. SSHv1 protocol is no longer supported in the server, please remove the option.
[auth.info] reprocess config line 167: ignoring RSAAuthentication option value. SSHv1 protocol is no longer supported in the server, please remove the option.
[auth.notice] Failed none for test user from <REMOVED> port 54650 ssh2
[auth.debug] ldap pam_sm_authenticate(sshd-kbdint testuser), flags = 1
[auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
[auth.notice] Failed keyboard-interactive for test user from <REMOVED> port 54650 ssh2
[auth.info] Connection closed by <REMOVED>
Configuration Details
Solaris Host Client
/etc/ssh/sshd_config
Protocol 2
Port 22
ListenAddress ::
AllowTcpForwarding no
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
MaxStartups 30:60:120
Banner /etc/issue
PrintMotd no
KeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 60
SyslogFacility auth
LogLevel info
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 600
MaxAuthTries 3
MaxAuthTriesLog 0
PermitEmptyPasswords no
PasswordAuthentication yes
PAMAuthenticationViaKBDInt yes
PermitRootLogin yes
Subsystem sftp /usr/lib/ssh/sftp-server
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
KbdInteractiveAuthentication yes
ldapclient utilizes an ldapclient profile from the server.
$ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyAgent,ou=Profile,o=som,dc=com
NS_LDAP_BINDPASSWD= <REMOVED>
NS_LDAP_SERVERS= HOST1-IP:389, HOST2-IP:389
NS_LDAP_SEARCH_BASEDN= o=som,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SERVER_PREF= HOST1:389, HOST2:389
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,o=som,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=people,o=som,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,o=som,dc=com?sub
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
NS_LDAP_ENABLE_SHADOW_UPDATE= TRUE
pam.conf and pam.d/service
/etc/pam.conf
(Only the relevant parts are shown)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1 debug
login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1 debug
/etc/pam.d/login
(Only the relevant parts are shown)
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth binding pam_unix_auth.so.1 server_policy
auth required pam_ldap.so.1 debug
auth required pam_dial_auth.so.1
/etc/pam.d/other
(Only the relevant parts are shown)
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth binding pam_unix_auth.so.1 server_policy
auth required pam_ldap.so.1 debug
nsswitch.conf
(nsswitch.conf was modified by using svccfg, resulting in the following nsswitch.conf file)
passwd: files ldap
group: files ldap
hosts: files [SUCCESS=return] dns
ipnodes: files [SUCCESS=return] dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
project: files
auth_attr: files
prof_attr: files
tnrhtp: files
tnrhdb: files
sudoers: files
LDAP Server
This host acts as a client to a Tivoli Directory Server v 6.3 (ITDS). Assume all proper schema modifications have been made. (I've added all necessary RFC2307bis, NIS and Solaris schema elements to ITDS.)
Best Answer
As it turns out, the issue is with the 'binding' control_type keyword used in the /etc/pam.conf and **/etc/pam.d/ *files.
By replacing all instances of 'binding' with 'sufficient' for the pam_unix_auth.so.1 lines in the files, authentication now works. As an example:
should become
Be sure to do this wherever you want to use LDAP authentication.