LDAP and PAM working for GUI login but not SSH
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have two Debian VMs. one is running an LDAP server and I'm trying to get the other to use libpam_ldap.
The client machine is able to get users from LDAP for the GUI login screen, but I can't ssh into the VM with users that are only in LDAP. I also can't su from the root user (local) to an LDAP user, but I assume it's the same problem.
On the client machine, I can use ldapsearch to look up the user I want...
ldapsearch -x -D "cn=admin,dc=mydomain,dc=com" -W -b "uid=testuser,ou=People,dc=mydomain,dc=com"
This prompts me for the admin LDAP password, and returns my user record:
dn: uid=testuser,ou=People,dc=mydomain,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: [removed for stackexchange posting ]
shadowLastChange: 17543
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/dwill
gecos: Test User,,,
(note, my domain isn't acutually "mydomain.com". I edited it for this posting)
But when I do getent passwd testuser, it doesn't return anything.
the /etc/nsswitch.conf has these lines
passwd: files ldap
group: files ldap
shadow: files ldap
It used to have compat ldap for those but I tried changing it files because that's what one of the guides I found had. It didn't work either way.
The /etc/ssh/sshd_config has UsePAM yes set.
I have followed all the guides I can find via Google and I still can't get this working.
Any suggestions?
debian pam ldap
asked Jan 13 at 2:26
dwilliss
1338
add a comment |Â
up vote
1
down vote
favorite
I have two Debian VMs. one is running an LDAP server and I'm trying to get the other to use libpam_ldap.
The client machine is able to get users from LDAP for the GUI login screen, but I can't ssh into the VM with users that are only in LDAP. I also can't su from the root user (local) to an LDAP user, but I assume it's the same problem.
On the client machine, I can use ldapsearch to look up the user I want...
ldapsearch -x -D "cn=admin,dc=mydomain,dc=com" -W -b "uid=testuser,ou=People,dc=mydomain,dc=com"
This prompts me for the admin LDAP password, and returns my user record:
dn: uid=testuser,ou=People,dc=mydomain,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: [removed for stackexchange posting ]
shadowLastChange: 17543
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/dwill
gecos: Test User,,,
(note, my domain isn't acutually "mydomain.com". I edited it for this posting)
But when I do getent passwd testuser, it doesn't return anything.
the /etc/nsswitch.conf has these lines
passwd: files ldap
group: files ldap
shadow: files ldap
It used to have compat ldap for those but I tried changing it files because that's what one of the guides I found had. It didn't work either way.
The /etc/ssh/sshd_config has UsePAM yes set.
I have followed all the guides I can find via Google and I still can't get this working.
Any suggestions?
debian pam ldap
asked Jan 13 at 2:26
dwilliss
1338
Doesgetent passwdreturn the full user list? Are you using thelibpam-ldapdpackage (recommended overlibpam-ldap)?
– Ferenc Wágner
Jan 13 at 20:47
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have two Debian VMs. one is running an LDAP server and I'm trying to get the other to use libpam_ldap.
The client machine is able to get users from LDAP for the GUI login screen, but I can't ssh into the VM with users that are only in LDAP. I also can't su from the root user (local) to an LDAP user, but I assume it's the same problem.
On the client machine, I can use ldapsearch to look up the user I want...
ldapsearch -x -D "cn=admin,dc=mydomain,dc=com" -W -b "uid=testuser,ou=People,dc=mydomain,dc=com"
This prompts me for the admin LDAP password, and returns my user record:
dn: uid=testuser,ou=People,dc=mydomain,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: [removed for stackexchange posting ]
shadowLastChange: 17543
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/dwill
gecos: Test User,,,
(note, my domain isn't acutually "mydomain.com". I edited it for this posting)
But when I do getent passwd testuser, it doesn't return anything.
the /etc/nsswitch.conf has these lines
passwd: files ldap
group: files ldap
shadow: files ldap
It used to have compat ldap for those but I tried changing it files because that's what one of the guides I found had. It didn't work either way.
The /etc/ssh/sshd_config has UsePAM yes set.
I have followed all the guides I can find via Google and I still can't get this working.
Any suggestions?
debian pam ldap
asked Jan 13 at 2:26
dwilliss
1338
I have two Debian VMs. one is running an LDAP server and I'm trying to get the other to use libpam_ldap.
The client machine is able to get users from LDAP for the GUI login screen, but I can't ssh into the VM with users that are only in LDAP. I also can't su from the root user (local) to an LDAP user, but I assume it's the same problem.
On the client machine, I can use ldapsearch to look up the user I want...
ldapsearch -x -D "cn=admin,dc=mydomain,dc=com" -W -b "uid=testuser,ou=People,dc=mydomain,dc=com"
This prompts me for the admin LDAP password, and returns my user record:
dn: uid=testuser,ou=People,dc=mydomain,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: [removed for stackexchange posting ]
shadowLastChange: 17543
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/dwill
gecos: Test User,,,
(note, my domain isn't acutually "mydomain.com". I edited it for this posting)
But when I do getent passwd testuser, it doesn't return anything.
the /etc/nsswitch.conf has these lines
passwd: files ldap
group: files ldap
shadow: files ldap
It used to have compat ldap for those but I tried changing it files because that's what one of the guides I found had. It didn't work either way.
The /etc/ssh/sshd_config has UsePAM yes set.
I have followed all the guides I can find via Google and I still can't get this working.
Any suggestions?
debian pam ldap
asked Jan 13 at 2:26
dwilliss
1338
asked Jan 13 at 2:26
dwilliss
1338
asked Jan 13 at 2:26
dwilliss
1338
asked Jan 13 at 2:26
dwilliss
1338
1338
Doesgetent passwdreturn the full user list? Are you using thelibpam-ldapdpackage (recommended overlibpam-ldap)?
– Ferenc Wágner
Jan 13 at 20:47
add a comment |Â
Doesgetent passwdreturn the full user list? Are you using thelibpam-ldapdpackage (recommended overlibpam-ldap)?
– Ferenc Wágner
Jan 13 at 20:47
Does
getent passwd return the full user list? Are you using the libpam-ldapd package (recommended over libpam-ldap)?– Ferenc Wágner
Jan 13 at 20:47
Does
getent passwd return the full user list? Are you using the libpam-ldapd package (recommended over libpam-ldap)?– Ferenc Wágner
Jan 13 at 20:47
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
accepted
I found the problem. One of the guides I found on Google instructed me to do
apt-get libnss-ldap libpam-ldap nslcd
I also later found an article that said that libpam-ldapd is newer than libpam-ldap and installed that instead.
libnss-ldap prompts you for some configuration and creates a /etc/libnss-ldap.conf file. Then libpam-ldap uninstalls libnss-ldap but leaves its config file behind. Apparently that config file is still meaningful because that's the one it's using and I had an error in the binddn in that file. After fixing the binddn, it worked.
I really don't know why you'd install both of those ldap modules. After getting the first client VM working, I setup another client VM using just libpam-ldapd and nslcd and it worked first time.
answered Jan 14 at 1:57
dwilliss
1338
add a comment |Â
up vote
0
down vote
Ensure you have a /etc/pam.d/sshd with the following content:
auth sufficient pam_ldap.so
account sufficient pam_permit.so
Then, run sudo /usr/sbin/pam-auth-update and you restart the sshd service.
answered Jan 13 at 11:28
thecarpy
2,210824
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in/etc/pam.d/sshdalso anyway but it didn't help. Also, the LDAP users don't show up when you dogetent passwdeither.
– dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you dogetent passwdeither. <---- this means your LDAP config is incorrect!
– thecarpy
Jan 14 at 9:31
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
I found the problem. One of the guides I found on Google instructed me to do
apt-get libnss-ldap libpam-ldap nslcd
I also later found an article that said that libpam-ldapd is newer than libpam-ldap and installed that instead.
libnss-ldap prompts you for some configuration and creates a /etc/libnss-ldap.conf file. Then libpam-ldap uninstalls libnss-ldap but leaves its config file behind. Apparently that config file is still meaningful because that's the one it's using and I had an error in the binddn in that file. After fixing the binddn, it worked.
I really don't know why you'd install both of those ldap modules. After getting the first client VM working, I setup another client VM using just libpam-ldapd and nslcd and it worked first time.
answered Jan 14 at 1:57
dwilliss
1338
add a comment |Â
up vote
1
down vote
accepted
I found the problem. One of the guides I found on Google instructed me to do
apt-get libnss-ldap libpam-ldap nslcd
I also later found an article that said that libpam-ldapd is newer than libpam-ldap and installed that instead.
libnss-ldap prompts you for some configuration and creates a /etc/libnss-ldap.conf file. Then libpam-ldap uninstalls libnss-ldap but leaves its config file behind. Apparently that config file is still meaningful because that's the one it's using and I had an error in the binddn in that file. After fixing the binddn, it worked.
I really don't know why you'd install both of those ldap modules. After getting the first client VM working, I setup another client VM using just libpam-ldapd and nslcd and it worked first time.
answered Jan 14 at 1:57
dwilliss
1338
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
I found the problem. One of the guides I found on Google instructed me to do
apt-get libnss-ldap libpam-ldap nslcd
I also later found an article that said that libpam-ldapd is newer than libpam-ldap and installed that instead.
libnss-ldap prompts you for some configuration and creates a /etc/libnss-ldap.conf file. Then libpam-ldap uninstalls libnss-ldap but leaves its config file behind. Apparently that config file is still meaningful because that's the one it's using and I had an error in the binddn in that file. After fixing the binddn, it worked.
I really don't know why you'd install both of those ldap modules. After getting the first client VM working, I setup another client VM using just libpam-ldapd and nslcd and it worked first time.
answered Jan 14 at 1:57
dwilliss
1338
I found the problem. One of the guides I found on Google instructed me to do
apt-get libnss-ldap libpam-ldap nslcd
I also later found an article that said that libpam-ldapd is newer than libpam-ldap and installed that instead.
libnss-ldap prompts you for some configuration and creates a /etc/libnss-ldap.conf file. Then libpam-ldap uninstalls libnss-ldap but leaves its config file behind. Apparently that config file is still meaningful because that's the one it's using and I had an error in the binddn in that file. After fixing the binddn, it worked.
I really don't know why you'd install both of those ldap modules. After getting the first client VM working, I setup another client VM using just libpam-ldapd and nslcd and it worked first time.
answered Jan 14 at 1:57
dwilliss
1338
answered Jan 14 at 1:57
dwilliss
1338
answered Jan 14 at 1:57
dwilliss
1338
answered Jan 14 at 1:57
dwilliss
1338
1338
add a comment |Â
add a comment |Â
up vote
0
down vote
Ensure you have a /etc/pam.d/sshd with the following content:
auth sufficient pam_ldap.so
account sufficient pam_permit.so
Then, run sudo /usr/sbin/pam-auth-update and you restart the sshd service.
answered Jan 13 at 11:28
thecarpy
2,210824
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in/etc/pam.d/sshdalso anyway but it didn't help. Also, the LDAP users don't show up when you dogetent passwdeither.
– dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you dogetent passwdeither. <---- this means your LDAP config is incorrect!
– thecarpy
Jan 14 at 9:31
add a comment |Â
up vote
0
down vote
Ensure you have a /etc/pam.d/sshd with the following content:
auth sufficient pam_ldap.so
account sufficient pam_permit.so
Then, run sudo /usr/sbin/pam-auth-update and you restart the sshd service.
answered Jan 13 at 11:28
thecarpy
2,210824
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in/etc/pam.d/sshdalso anyway but it didn't help. Also, the LDAP users don't show up when you dogetent passwdeither.
– dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you dogetent passwdeither. <---- this means your LDAP config is incorrect!
– thecarpy
Jan 14 at 9:31
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Ensure you have a /etc/pam.d/sshd with the following content:
auth sufficient pam_ldap.so
account sufficient pam_permit.so
Then, run sudo /usr/sbin/pam-auth-update and you restart the sshd service.
answered Jan 13 at 11:28
thecarpy
2,210824
Ensure you have a /etc/pam.d/sshd with the following content:
auth sufficient pam_ldap.so
account sufficient pam_permit.so
Then, run sudo /usr/sbin/pam-auth-update and you restart the sshd service.
answered Jan 13 at 11:28
thecarpy
2,210824
answered Jan 13 at 11:28
thecarpy
2,210824
answered Jan 13 at 11:28
thecarpy
2,210824
answered Jan 13 at 11:28
thecarpy
2,210824
2,210824
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in/etc/pam.d/sshdalso anyway but it didn't help. Also, the LDAP users don't show up when you dogetent passwdeither.
– dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you dogetent passwdeither. <---- this means your LDAP config is incorrect!
– thecarpy
Jan 14 at 9:31
add a comment |Â
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in/etc/pam.d/sshdalso anyway but it didn't help. Also, the LDAP users don't show up when you dogetent passwdeither.
– dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you dogetent passwdeither. <---- this means your LDAP config is incorrect!
– thecarpy
Jan 14 at 9:31
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in
/etc/pam.d/sshd also anyway but it didn't help. Also, the LDAP users don't show up when you do getent passwd either.– dwilliss
Jan 14 at 0:39
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in
/etc/pam.d/sshd also anyway but it didn't help. Also, the LDAP users don't show up when you do getent passwd either.– dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you do
getent passwd either. <---- this means your LDAP config is incorrect!– thecarpy
Jan 14 at 9:31
Also, the LDAP users don't show up when you do
getent passwd either. <---- this means your LDAP config is incorrect!– thecarpy
Jan 14 at 9:31
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f416731%2fldap-and-pam-working-for-gui-login-but-not-ssh%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Does
getent passwdreturn the full user list? Are you using thelibpam-ldapdpackage (recommended overlibpam-ldap)?– Ferenc Wágner
Jan 13 at 20:47