Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Mac OS X LDAP client not accepting ssh or console logins (PAM error)
Operating Systems OS X (Apple) Mac OS X LDAP client not accepting ssh or console logins (PAM error) Post 302980084 by jlh on Tuesday 23rd of August 2016 03:33:00 PM
Old 08-23-2016
Thanks for responding.

Yes, I tried setting

Code:
PasswordAuthentication yes

and

uncommenting the "#UsePAM yes" line.


I still can't login, but at least the error changed a bit.... that's helpful


Code:
sh-3.2# ssh testuser@localhost
Password:
Password:
Password:
testuser@localhost's password:
Connection closed by ::1



Code:
Aug 23 13:18:51 macbook sshd[935]: error: PAM: permission denied for testuser from localhost via ::1
Aug 23 13:19:05 --- last message repeated 2 times ---
Aug 23 13:19:05 macbook sshd[935]: Failed password for testuser from ::1 port 50341 ssh2
Aug 23 13:19:05 fawkes sshd[935]: fatal: Access denied for user testuser by PAM account configuration [preauth]

So it seems that mac isn't authenticating properly or reading the password properly, but it's getting the other
attributes correct.

This is such a wacky problem.

I'm thinking maybe the issue is with the authentication mechanisms available to yosemite. If I query the directory server
directly from the mac I see the available SASL authentication mechanisms as:


Code:
sh-3.2#  ldapsearch -x -h FQDN_of_server -b  "" -s base "(objectclass=*)" supportedSASLMechanisms
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#

#
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


But the pam files show for sshd:


Code:
pam_krb5.so
pam_ntlm.so
pam_opendirectory.so


I was thinking that I need to add more SASL authentication methods to the system and I *think* that's done by editing
the .plist of the server in /Library/Preferences/OpenDirectory/Configurations/LDAPv3, but I don't think Apple would make
the OS that fussy.

Maybe I'm overthinking this....
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

pam ldap limit authentication

I have a linux machine which authenticate users to ldap, this is working fine. But I would like to limit users that logon to the machines to just the system admins. The machines hosts different web sites which users accessed from there home directory like http://foo.mdx.ac.uk/~username At the... (0 Replies)
Discussion started by: hassan1
0 Replies

2. UNIX for Advanced & Expert Users

PAM LDAP Passwort

Hallo miteinander, ich bin gerade dabei ein eigenes C-Programm zuschreiben um mich über PAM auf einen LDAP Server zu authentifizieren. ... (2 Replies)
Discussion started by: saschaLin
2 Replies

3. UNIX and Linux Applications

Problems Hooking Sudoers into PAM/LDAP

Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here.. At this point I have an openLDAP server that is working quite splendidly! :) I have a working directory with users able to authenticate it and TLS... (2 Replies)
Discussion started by: bluethundr
2 Replies

4. Solaris

LDAP, PAM or SSHD?

Hi, I´m trying to make Solaris authenticate users in AD. NTP is working, nsswitch.ldap is listed above, DNS is Ok and I made something different in pam.conf, krb5.conf and sshd_config (see above) nsswitch.ldap: passwd: files ldap group: files ldap hosts: files dns ipnodes: ... (0 Replies)
Discussion started by: mpcavalcanti
0 Replies

5. Shell Programming and Scripting

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Active Directory Services 2008 R2 accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all users... (0 Replies)
Discussion started by: powelltallen
0 Replies

6. Cybersecurity

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Windows 2008 R2 Active Directory Services accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all... (1 Reply)
Discussion started by: powelltallen
1 Replies

7. SuSE

PAM password change failed, pam error 20

Hi, I use a software which can create account on many system or application. One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3. This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Discussion started by: scabarrus
3 Replies

8. UNIX for Advanced & Expert Users

Configure samba with PAM point 2 different LDAP

Hi, I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA. Is possibile duplicate the... (2 Replies)
Discussion started by: mark888
2 Replies

9. Solaris

Solaris LDOM not accepting keyboard input at console

Ran into this issue today and wanted to share how I fixed it as there is not a lot a lot of info online on this issue. We upgraded our NetApp controllers to Ontap 9 and reboot all our iSCSI attached LDOMs after. One of the LDOM did not come up cleanly and it would not accept any keyboard inputs... (0 Replies)
Discussion started by: ncherukuri
0 Replies

10. Solaris

LDAP Client not connecting to LDAP server

I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful. The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
Discussion started by: solaris_1977
9 Replies

LEARN ABOUT PHP

ldap_connect

LDAP_CONNECT(3) 							 1							   LDAP_CONNECT(3)

ldap_connect - Connect to an LDAP server

SYNOPSIS

       resource ldap_connect NULL ([string  $hostname], [int  $port = 389])

DESCRIPTION

	Establishes a connection to a LDAP server on a specified $hostname and $port.

PARAMETERS

	      o $hostname
		- If you are using OpenLDAP 2.x.x you can specify a URL instead of the hostname. To use LDAP with SSL, compile OpenLDAP 2.x.x with
		SSL support, configure PHP with SSL, and set this parameter as ldaps://hostname/.

	      o $port
		- The port to connect to. Not used when using URLs.

RETURN VALUES

	Returns a positive LDAP link identifier on success, or FALSE on error. When OpenLDAP 2.x.x is used, ldap_connect(3) will always  return  a
       resource  as it does not actually connect but just initializes the connecting parameters. The actual connect happens with the next calls to
       ldap_* funcs, usually with ldap_bind(3).

	If no arguments are specified then the link identifier of the already opened link will be returned.

EXAMPLES

       Example #1

	      Example of connecting to LDAP server.

	      <?php

	      // LDAP variables
	      $ldaphost = "ldap.example.com";  // your ldap servers
	      $ldapport = 389;		       // your ldap server's port number

	      // Connecting to LDAP
	      $ldapconn = ldap_connect($ldaphost, $ldapport)
			or die("Could not connect to $ldaphost");

	      ?>

       Example #2

	      Example of connecting securely to LDAP server.

	      <?php

	      // make sure your host is the correct one
	      // that you issued your secure certificate to
	      $ldaphost = "ldaps://ldap.example.com/";

	      // Connecting to LDAP
	      $ldapconn = ldap_connect($ldaphost)
			or die("Could not connect to {$ldaphost}");

	      ?>

SEE ALSO

       ldap_bind(3).

PHP Documentation Group 													   LDAP_CONNECT(3)
All times are GMT -4. The time now is 02:56 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy