Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: SSH + LDAP Auth Giving Fits
Operating Systems AIX SSH + LDAP Auth Giving Fits Post 302230068 by AlexDeGruven on Thursday 28th of August 2008 02:16:46 PM
Old 08-28-2008
SSH + LDAP Auth Giving Fits
I'm having a bear of a time getting my LDAP connection going, so I hope someone here has some insight.

I have AIX 5.3 running on an LPAR. I have ldap-client, ldap-max-crypto-client, gskak, and gskte installed. I'm able to set up the connection via mksecldap, and I can query users just fine whether they be local or remote.

When I ssh in using local authentication, everything works fine.

If I set my /etc/security/user stanza to 'SYSTEM = "LDAP"' and 'registry = LDAP', I can see my info in lsuser coming from the LDAP server.

Here's where the 'fun' begins. lsuser 'username' doesn't show my pgrp. We have a custom attribute because our default in the LDAP server is 10 (wheel for Linux). Since we use 1 (staff), we had an attribute created that is called out in /etc/security/ldap/2307user.map.

Whether I use the default gidnumber attribute, or our own custom attribute it doesn't pull it.

Also, when I set registry = files (or leave it un-set), I get all of the proper local information.

Now, I KNOW, for 100% certainty that I'm missing something stupid here, which is why I can't figure out what it is. I know this because I had it working a couple of weeks ago, but I rebuilt the server to test something else and forgot to save my state then for when I wanted to come back.

When I log in via SSH, I don't see anything unusual on the client side, and the server side reports that the login was successful. Yet, I get:
Code:
ssh user@server
user@server's password:
Connection to server closed by remote host.
Connection to server closed.

Can anyone help me figure out what the heck I'm missing here? SSH is successfully making the connection to the LDAP server and authenticating (I know it's going to the right place because login fails with my local password, which is different from my remote pw), and returning a successful result. Yet sshd on the server simply kicks me out after that.

Hopefully someone has some insight before I end up with no hair.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

iPlanet on HP-UX - WANT to auth aganist MS Directory Services/LDAP

I am running iPlanet 6 on HP-UX 11, and presently all users can access the site. There are 6000 users accessing the website from an Windows Network. I would like users to access the site, but would also like to log user ID's in the access log, without prompting users for an ID/Password. Is... (1 Reply)
Discussion started by: shuterj
1 Replies

2. Shell Programming and Scripting

Cron job giving error while running SSH command

Hi All, The script which i am using to SSH to remote server is working fine when i run is using ./ but when cron runs it it gives error that "ssh: not found" please help!!! (3 Replies)
Discussion started by: visingha
3 Replies

3. UNIX for Dummies Questions & Answers

ssh pub key auth - can some please guide me idiot proof

hello. can somebody please idiot proff simple guide me how to set up ssh public key authenciation? i am stuck, i tried long and googled a lot but i cant get it. thanks in advance. (4 Replies)
Discussion started by: scarfake
4 Replies

4. Red Hat

LDAP auth, secondary groups doesnt works

RedHat ELS 5.2 & Sun directory getent passwd: works toto:*:1000:100:toto:/home/toto:/bin/bash getent group: works mygroup:*:10001:1000,1001 but id toto doesnt works :( uid=1000(toto) gid=100(users) groupes=100(users) BTW in /etc/ldap.conf i use a different mapping for the posix... (4 Replies)
Discussion started by: sncr24
4 Replies

5. UNIX for Dummies Questions & Answers

ssh login and auth errors

Hi folks, I'm having some rather odd trouble with ssh. It all started when I tried to create rsa public/private keys to login to a remote ssh account. The account is on a university server and the address redirects to several different machines so (following their wiki instructions...sigh) I... (9 Replies)
Discussion started by: daytripper
9 Replies

6. AIX

Kerberos and LDAP Auth

Good day I am trying to configure Kerberos and LDAP authentication on AIX 5.3 with Windows 2003 R2 but something is not quite right. When I ran kinit username I get a ticket and I can display it using klist. When the user login I can see the ticket request on Windows 2003, but the user... (1 Reply)
Discussion started by: mariusb
1 Replies

7. Emergency UNIX and Linux Support

Configure Squid to use LDAP group auth to deny internet access

Hi all We have squid-2.5.STABLE11-3.FC4 running in our environment. LDAP authentication works fine. Active Directory 2003 Users are prompted to enter credentials every time they access the net. The system works perfectly, but I need to configure Squid to block users in a specific AD group.... (1 Reply)
Discussion started by: wbdevilliers
1 Replies

8. AIX

ssh public key auth "Remote login for account is not allowed" ?

Hello, Using AIX 6.1 boxes. User user1 connects from box A to box B using ssh. When password authentication is used everything is fine. When I configure user1 to use public key authentication sftp client works fine(no password asked), but ssh client fails. This is sshd log: Accepted publickey... (3 Replies)
Discussion started by: vilius
3 Replies

9. Gentoo

LDAP-Auth does not work correctly with systemd

Hi, since the upgrade to Gnome 3.6 (now i have 3.8) the authentication over LDAP stops working. The whole machine does not start anymore. The machine boot, but no gdm and no X. I can login, with root, but then the tty hangs. When i look at ttyF12 i see a lot of systemd service the runs random,... (1 Reply)
Discussion started by: darktux
1 Replies

10. UNIX for Beginners Questions & Answers

Giving password reset access to non-root user, in LDAP

Hi, We have two LDAP servers. Whenever we get a ticket to reset the password, we login to LDAP primary server and reset the password. For below example, I logged into primary LDAP server and resetting password to john to Welcome123# We are giving this work to tier-1 team, so that they can reset... (1 Reply)
Discussion started by: ron323232
1 Replies

LEARN ABOUT OSX

dsconfigldap

dsconfigldap(1) 					    BSD General Commands Manual 					   dsconfigldap(1)

NAME

     dsconfigldap -- LDAP server configuration/binding add/remove tool.

SYNOPSIS

     dsconfigldap [-fvixsgmeSN] -a servername [-n configname] [-c computerid] [-u username] [-p password] [-l username] [-q password]

     dsconfigldap [-fviSN] -r servername [-u username] [-p password] [-l username] [-q password]

		  options:
			-f	       force authenticated binding/unbinding
			-v	       verbose logging to stdout
			-i	       prompt for passwords as required
			-x	       choose SSL connection
			-s	       enforce secure authentication only
			-g	       enforce packet signing security policy
			-m	       enforce man-in-middle security policy
			-e	       enforce encryption security policy
			-S	       do not update search policies
			-N	       do not prompt about adding certificates
			-h	       display usage statement
			-a servername  add config of servername
			-r servername  remove config of servername
			-n configname  name given to LDAP server config
			-c computerid  name used if binding to directory
			-u username    privileged network username
			-p password    privileged network user password
			-l username    local admin username
			-q password    local admin password

DESCRIPTION

     dsconfigldap allows addition or removal of LDAP server configurations. Presented below is a discussion of possible parameters. Usage has
     three intents: add server config, remove server config, or display help.

     Options list and their descriptions:

     -f       Bindings will be established or dropped in conjunction with the addition or removal of the LDAP server configuration.

     -v       This enables the logging to stdout of the details of the operations. This can be redirected to a file.

     -i       You will be prompted for a password to use in conjunction with a specified username.

     -s       This ensures that no clear text passwords will be sent to the LDAP server during authentication.	This will only be enabled if the
	      server supports non-cleartext methods.

     -e       This ensures that if the server is capable of supporting encryption methods (i.e., SSL or Kerberos) that encryption will be enforced
	      at all times via policy.

     -m       This ensures that man-in-the-middle capabilities will be enforced via Kerberos, if the server supports the capability.

     -g       This ensures that packet signing capabilities will be enforced via Kerberos, if the server supports the capability.

     -x       Connection to the LDAP server will only be made over SSL.

     -S       Will skip updating the search policies.

     -N       Will assume Yes for installing certificates

     -h       Display usage statement.

     -a servername
	      This is either the fully qualified domain name or correct IP address of the LDAP server to be added to the DirectoryService LDAPv3
	      configuration.

     -r servername
	      This is either the fully qualified domain name or correct IP address of the LDAP server to be removed from the DirectoryService
	      LDAPv3 configuration.

     -n configname
	      This is the UI configuration label that is to be given the LDAP server configuration.

     -c computerid
	      This is the name to be used for directory binding to the LDAP server. If none is given the first substring, before a period, of the
	      hostname (the defined environment variable "HOST") is used.

     -u username
	      Username of a privileged network user to be used in authenticated directory binding.

     -p password
	      Password for the privileged network user.  This is a less secure method of providing a password, as it may be viewed via process
	      list.  For stronger security leave the option off and you will be prompted for a password.

     -l username
	      Username of a local administrator.

     -q password
	      Password for the local administrator.  This is a less secure method of providing a password, as it may be viewed via process list.
	      For stronger security leave the option off and you will be prompted for a password.

EXAMPLES

     dsconfigldap -a ldap.company.com

     The LDAP server config for the LDAP server myldap.company.com will be added. If authenticated directory binding is required by the LDAP
     server, then this call will fail. Otherwise, the following parameters configname, computerid, and local admin name will respectively pick up
     these defaults: ip address of the LDAP servername, substring up to first period of fully qualified hostname, and username of the user in the
     shell this tool was invoked.

     dsconfigldap -r ldap.company.com

     The LDAP server config for the LDAP server myldap.company.com will be removed but not unbound since no network user credentials were sup-
     plied.  The local admin name will be the username of the user in the shell this tool was invoked.

SEE ALSO

     opendirectoryd(8), odutil(1)

Mac OS								   April 24 2010							    Mac OS
All times are GMT -4. The time now is 06:58 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy