Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: SSH + LDAP Auth Giving Fits
Operating Systems AIX SSH + LDAP Auth Giving Fits Post 302230068 by AlexDeGruven on Thursday 28th of August 2008 02:16:46 PM
Old 08-28-2008
SSH + LDAP Auth Giving Fits
I'm having a bear of a time getting my LDAP connection going, so I hope someone here has some insight.

I have AIX 5.3 running on an LPAR. I have ldap-client, ldap-max-crypto-client, gskak, and gskte installed. I'm able to set up the connection via mksecldap, and I can query users just fine whether they be local or remote.

When I ssh in using local authentication, everything works fine.

If I set my /etc/security/user stanza to 'SYSTEM = "LDAP"' and 'registry = LDAP', I can see my info in lsuser coming from the LDAP server.

Here's where the 'fun' begins. lsuser 'username' doesn't show my pgrp. We have a custom attribute because our default in the LDAP server is 10 (wheel for Linux). Since we use 1 (staff), we had an attribute created that is called out in /etc/security/ldap/2307user.map.

Whether I use the default gidnumber attribute, or our own custom attribute it doesn't pull it.

Also, when I set registry = files (or leave it un-set), I get all of the proper local information.

Now, I KNOW, for 100% certainty that I'm missing something stupid here, which is why I can't figure out what it is. I know this because I had it working a couple of weeks ago, but I rebuilt the server to test something else and forgot to save my state then for when I wanted to come back.

When I log in via SSH, I don't see anything unusual on the client side, and the server side reports that the login was successful. Yet, I get:
Code:
ssh user@server
user@server's password:
Connection to server closed by remote host.
Connection to server closed.

Can anyone help me figure out what the heck I'm missing here? SSH is successfully making the connection to the LDAP server and authenticating (I know it's going to the right place because login fails with my local password, which is different from my remote pw), and returning a successful result. Yet sshd on the server simply kicks me out after that.

Hopefully someone has some insight before I end up with no hair.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

iPlanet on HP-UX - WANT to auth aganist MS Directory Services/LDAP

I am running iPlanet 6 on HP-UX 11, and presently all users can access the site. There are 6000 users accessing the website from an Windows Network. I would like users to access the site, but would also like to log user ID's in the access log, without prompting users for an ID/Password. Is... (1 Reply)
Discussion started by: shuterj
1 Replies

2. Shell Programming and Scripting

Cron job giving error while running SSH command

Hi All, The script which i am using to SSH to remote server is working fine when i run is using ./ but when cron runs it it gives error that "ssh: not found" please help!!! (3 Replies)
Discussion started by: visingha
3 Replies

3. UNIX for Dummies Questions & Answers

ssh pub key auth - can some please guide me idiot proof

hello. can somebody please idiot proff simple guide me how to set up ssh public key authenciation? i am stuck, i tried long and googled a lot but i cant get it. thanks in advance. (4 Replies)
Discussion started by: scarfake
4 Replies

4. Red Hat

LDAP auth, secondary groups doesnt works

RedHat ELS 5.2 & Sun directory getent passwd: works toto:*:1000:100:toto:/home/toto:/bin/bash getent group: works mygroup:*:10001:1000,1001 but id toto doesnt works :( uid=1000(toto) gid=100(users) groupes=100(users) BTW in /etc/ldap.conf i use a different mapping for the posix... (4 Replies)
Discussion started by: sncr24
4 Replies

5. UNIX for Dummies Questions & Answers

ssh login and auth errors

Hi folks, I'm having some rather odd trouble with ssh. It all started when I tried to create rsa public/private keys to login to a remote ssh account. The account is on a university server and the address redirects to several different machines so (following their wiki instructions...sigh) I... (9 Replies)
Discussion started by: daytripper
9 Replies

6. AIX

Kerberos and LDAP Auth

Good day I am trying to configure Kerberos and LDAP authentication on AIX 5.3 with Windows 2003 R2 but something is not quite right. When I ran kinit username I get a ticket and I can display it using klist. When the user login I can see the ticket request on Windows 2003, but the user... (1 Reply)
Discussion started by: mariusb
1 Replies

7. Emergency UNIX and Linux Support

Configure Squid to use LDAP group auth to deny internet access

Hi all We have squid-2.5.STABLE11-3.FC4 running in our environment. LDAP authentication works fine. Active Directory 2003 Users are prompted to enter credentials every time they access the net. The system works perfectly, but I need to configure Squid to block users in a specific AD group.... (1 Reply)
Discussion started by: wbdevilliers
1 Replies

8. AIX

ssh public key auth "Remote login for account is not allowed" ?

Hello, Using AIX 6.1 boxes. User user1 connects from box A to box B using ssh. When password authentication is used everything is fine. When I configure user1 to use public key authentication sftp client works fine(no password asked), but ssh client fails. This is sshd log: Accepted publickey... (3 Replies)
Discussion started by: vilius
3 Replies

9. Gentoo

LDAP-Auth does not work correctly with systemd

Hi, since the upgrade to Gnome 3.6 (now i have 3.8) the authentication over LDAP stops working. The whole machine does not start anymore. The machine boot, but no gdm and no X. I can login, with root, but then the tty hangs. When i look at ttyF12 i see a lot of systemd service the runs random,... (1 Reply)
Discussion started by: darktux
1 Replies

10. UNIX for Beginners Questions & Answers

Giving password reset access to non-root user, in LDAP

Hi, We have two LDAP servers. Whenever we get a ticket to reset the password, we login to LDAP primary server and reset the password. For below example, I logged into primary LDAP server and resetting password to john to Welcome123# We are giving this work to tier-1 team, so that they can reset... (1 Reply)
Discussion started by: ron323232
1 Replies

LEARN ABOUT SUSE

autofs_ldap_auth.conf

AUTOFS_LDAP_AUTH.CONF(5)					File Formats Manual					  AUTOFS_LDAP_AUTH.CONF(5)

NAME

       autofs_ldap_auth.conf - autofs LDAP authentication configuration

DESCRIPTION

       LDAP  authenticated  binds, TLS encrypted connections and certification may be used by setting appropriate values in the autofs authentica-
       tion  configuration  file  and  configuring  the  LDAP  client  with  appropriate  settings.   The  default  location  of  this	 file	is
       /etc/autofs_ldap_auth.conf.  If this file exists it will be used to establish whether TLS or authentication should be used.

       An example of this file is:

	 <?xml version="1.0" ?>
	 <autofs_ldap_sasl_conf
		 usetls="yes"
		 tlsrequired="no"
		 authrequired="no"
		 authtype="DIGEST-MD5"
		 user="xyz"
		 secret="abc"
	 />

       If  TLS	encryption is to be used the location of the Certificate Authority certificate must be set within the LDAP client configuration in
       order to validate the server certificate. If, in addition, a certified connection is to be used then the client certificate and private key
       file locations must also be configured within the LDAP client.

OPTIONS

       This files contains a single XML element, as shown in the example above, with several attributes.

       The possible attributes are:

       usetls="yes"|"no"
	      Determines whether an encrypted connection to the ldap server should be attempted.

       tlsrequired="yes"|"no"
	      This  flag  tells whether the ldap connection must be encrypted. If set to "yes", the automounter will fail to start if an encrypted
	      connection cannot be established.

       authrequired="yes"|"no"|"autodetect"|"simple"
	      This option tells whether an authenticated connection to the ldap server is required in order to perform ldap queries. If  the  flag
	      is  set  to  yes, only sasl authenticated connections will be allowed. If it is set to no then authentication is not needed for ldap
	      server connections. If it is set to autodetect then the ldap server will be queried to  establish  a  suitable  sasl  authentication
	      mechanism.  If no suitable mechanism can be found, connections to the ldap server are made without authentication. Finally, if it is
	      set to simple, then simple authentication will be used instead of SASL.

       authtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5"
	      This attribute can be used to specify a preferred authentication mechanism.
	       In normal operations, the automounter will attempt to authenticate to the ldap server using the list of supportedSASLmechanisms ob-
	      tained from the directory server.  Explicitly setting the authtype will bypass this selection and only try the mechanism specified.

       user="<username>"
	      This attribute holds the authentication identity used by authentication mechanisms that require it.  Legal values for this attribute
	      include any printable characters that can be used by the selected authentication mechanism.

       secret="<password>"
	      This attribute holds the secret used by authentication mechanisms that require it. Legal	values	for  this  attribute  include  any
	      printable characters that can be used by the selected authentication mechanism.

       clientprinc="<GSSAPI client principal>"
	      When  using GSSAPI authentication, this attribute is consulted to determine the principal name to use when authenticating to the di-
	      rectory server. By default, this will be set to "autofsclient/<fqdn>@<REALM>.

       credentialcache="<external credential cache path>"
	      When using GSSAPI authentication, this attribute can be used to specify an externally configured credential cache that is used  dur-
	      ing authentication.  By default, autofs will setup a memory based credential cache.

SEE ALSO

       auto.master(5),

AUTHOR

       This manual page was written by Ian Kent <raven@themaw.net>.

								    19 Feb 2010 					  AUTOFS_LDAP_AUTH.CONF(5)
All times are GMT -4. The time now is 10:56 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy