LDAP and PAM working for GUI login but not SSH
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have two Debian VMs. one is running an LDAP server and I'm trying to get the other to use libpam_ldap.
The client machine is able to get users from LDAP for the GUI login screen, but I can't ssh into the VM with users that are only in LDAP. I also can't su
from the root user (local) to an LDAP user, but I assume it's the same problem.
On the client machine, I can use ldapsearch
to look up the user I want...
ldapsearch -x -D "cn=admin,dc=mydomain,dc=com" -W -b "uid=testuser,ou=People,dc=mydomain,dc=com"
This prompts me for the admin LDAP password, and returns my user record:
dn: uid=testuser,ou=People,dc=mydomain,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: [removed for stackexchange posting ]
shadowLastChange: 17543
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/dwill
gecos: Test User,,,
(note, my domain isn't acutually "mydomain.com". I edited it for this posting)
But when I do getent passwd testuser
, it doesn't return anything.
the /etc/nsswitch.conf
has these lines
passwd: files ldap
group: files ldap
shadow: files ldap
It used to have compat ldap
for those but I tried changing it files
because that's what one of the guides I found had. It didn't work either way.
The /etc/ssh/sshd_config
has UsePAM yes
set.
I have followed all the guides I can find via Google and I still can't get this working.
Any suggestions?
debian pam ldap
add a comment |Â
up vote
1
down vote
favorite
I have two Debian VMs. one is running an LDAP server and I'm trying to get the other to use libpam_ldap.
The client machine is able to get users from LDAP for the GUI login screen, but I can't ssh into the VM with users that are only in LDAP. I also can't su
from the root user (local) to an LDAP user, but I assume it's the same problem.
On the client machine, I can use ldapsearch
to look up the user I want...
ldapsearch -x -D "cn=admin,dc=mydomain,dc=com" -W -b "uid=testuser,ou=People,dc=mydomain,dc=com"
This prompts me for the admin LDAP password, and returns my user record:
dn: uid=testuser,ou=People,dc=mydomain,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: [removed for stackexchange posting ]
shadowLastChange: 17543
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/dwill
gecos: Test User,,,
(note, my domain isn't acutually "mydomain.com". I edited it for this posting)
But when I do getent passwd testuser
, it doesn't return anything.
the /etc/nsswitch.conf
has these lines
passwd: files ldap
group: files ldap
shadow: files ldap
It used to have compat ldap
for those but I tried changing it files
because that's what one of the guides I found had. It didn't work either way.
The /etc/ssh/sshd_config
has UsePAM yes
set.
I have followed all the guides I can find via Google and I still can't get this working.
Any suggestions?
debian pam ldap
Doesgetent passwd
return the full user list? Are you using thelibpam-ldapd
package (recommended overlibpam-ldap
)?
â Ferenc Wágner
Jan 13 at 20:47
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have two Debian VMs. one is running an LDAP server and I'm trying to get the other to use libpam_ldap.
The client machine is able to get users from LDAP for the GUI login screen, but I can't ssh into the VM with users that are only in LDAP. I also can't su
from the root user (local) to an LDAP user, but I assume it's the same problem.
On the client machine, I can use ldapsearch
to look up the user I want...
ldapsearch -x -D "cn=admin,dc=mydomain,dc=com" -W -b "uid=testuser,ou=People,dc=mydomain,dc=com"
This prompts me for the admin LDAP password, and returns my user record:
dn: uid=testuser,ou=People,dc=mydomain,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: [removed for stackexchange posting ]
shadowLastChange: 17543
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/dwill
gecos: Test User,,,
(note, my domain isn't acutually "mydomain.com". I edited it for this posting)
But when I do getent passwd testuser
, it doesn't return anything.
the /etc/nsswitch.conf
has these lines
passwd: files ldap
group: files ldap
shadow: files ldap
It used to have compat ldap
for those but I tried changing it files
because that's what one of the guides I found had. It didn't work either way.
The /etc/ssh/sshd_config
has UsePAM yes
set.
I have followed all the guides I can find via Google and I still can't get this working.
Any suggestions?
debian pam ldap
I have two Debian VMs. one is running an LDAP server and I'm trying to get the other to use libpam_ldap.
The client machine is able to get users from LDAP for the GUI login screen, but I can't ssh into the VM with users that are only in LDAP. I also can't su
from the root user (local) to an LDAP user, but I assume it's the same problem.
On the client machine, I can use ldapsearch
to look up the user I want...
ldapsearch -x -D "cn=admin,dc=mydomain,dc=com" -W -b "uid=testuser,ou=People,dc=mydomain,dc=com"
This prompts me for the admin LDAP password, and returns my user record:
dn: uid=testuser,ou=People,dc=mydomain,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: [removed for stackexchange posting ]
shadowLastChange: 17543
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/dwill
gecos: Test User,,,
(note, my domain isn't acutually "mydomain.com". I edited it for this posting)
But when I do getent passwd testuser
, it doesn't return anything.
the /etc/nsswitch.conf
has these lines
passwd: files ldap
group: files ldap
shadow: files ldap
It used to have compat ldap
for those but I tried changing it files
because that's what one of the guides I found had. It didn't work either way.
The /etc/ssh/sshd_config
has UsePAM yes
set.
I have followed all the guides I can find via Google and I still can't get this working.
Any suggestions?
debian pam ldap
asked Jan 13 at 2:26
dwilliss
1338
1338
Doesgetent passwd
return the full user list? Are you using thelibpam-ldapd
package (recommended overlibpam-ldap
)?
â Ferenc Wágner
Jan 13 at 20:47
add a comment |Â
Doesgetent passwd
return the full user list? Are you using thelibpam-ldapd
package (recommended overlibpam-ldap
)?
â Ferenc Wágner
Jan 13 at 20:47
Does
getent passwd
return the full user list? Are you using the libpam-ldapd
package (recommended over libpam-ldap
)?â Ferenc Wágner
Jan 13 at 20:47
Does
getent passwd
return the full user list? Are you using the libpam-ldapd
package (recommended over libpam-ldap
)?â Ferenc Wágner
Jan 13 at 20:47
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
accepted
I found the problem. One of the guides I found on Google instructed me to do
apt-get libnss-ldap libpam-ldap nslcd
I also later found an article that said that libpam-ldapd
is newer than libpam-ldap
and installed that instead.
libnss-ldap
prompts you for some configuration and creates a /etc/libnss-ldap.conf
file. Then libpam-ldap
uninstalls libnss-ldap
but leaves its config file behind. Apparently that config file is still meaningful because that's the one it's using and I had an error in the binddn in that file. After fixing the binddn, it worked.
I really don't know why you'd install both of those ldap modules. After getting the first client VM working, I setup another client VM using just libpam-ldapd and nslcd and it worked first time.
add a comment |Â
up vote
0
down vote
Ensure you have a /etc/pam.d/sshd
with the following content:
auth sufficient pam_ldap.so
account sufficient pam_permit.so
Then, run sudo /usr/sbin/pam-auth-update
and you restart the sshd
service.
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in/etc/pam.d/sshd
also anyway but it didn't help. Also, the LDAP users don't show up when you dogetent passwd
either.
â dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you dogetent passwd
either. <---- this means your LDAP config is incorrect!
â thecarpy
Jan 14 at 9:31
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
I found the problem. One of the guides I found on Google instructed me to do
apt-get libnss-ldap libpam-ldap nslcd
I also later found an article that said that libpam-ldapd
is newer than libpam-ldap
and installed that instead.
libnss-ldap
prompts you for some configuration and creates a /etc/libnss-ldap.conf
file. Then libpam-ldap
uninstalls libnss-ldap
but leaves its config file behind. Apparently that config file is still meaningful because that's the one it's using and I had an error in the binddn in that file. After fixing the binddn, it worked.
I really don't know why you'd install both of those ldap modules. After getting the first client VM working, I setup another client VM using just libpam-ldapd and nslcd and it worked first time.
add a comment |Â
up vote
1
down vote
accepted
I found the problem. One of the guides I found on Google instructed me to do
apt-get libnss-ldap libpam-ldap nslcd
I also later found an article that said that libpam-ldapd
is newer than libpam-ldap
and installed that instead.
libnss-ldap
prompts you for some configuration and creates a /etc/libnss-ldap.conf
file. Then libpam-ldap
uninstalls libnss-ldap
but leaves its config file behind. Apparently that config file is still meaningful because that's the one it's using and I had an error in the binddn in that file. After fixing the binddn, it worked.
I really don't know why you'd install both of those ldap modules. After getting the first client VM working, I setup another client VM using just libpam-ldapd and nslcd and it worked first time.
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
I found the problem. One of the guides I found on Google instructed me to do
apt-get libnss-ldap libpam-ldap nslcd
I also later found an article that said that libpam-ldapd
is newer than libpam-ldap
and installed that instead.
libnss-ldap
prompts you for some configuration and creates a /etc/libnss-ldap.conf
file. Then libpam-ldap
uninstalls libnss-ldap
but leaves its config file behind. Apparently that config file is still meaningful because that's the one it's using and I had an error in the binddn in that file. After fixing the binddn, it worked.
I really don't know why you'd install both of those ldap modules. After getting the first client VM working, I setup another client VM using just libpam-ldapd and nslcd and it worked first time.
I found the problem. One of the guides I found on Google instructed me to do
apt-get libnss-ldap libpam-ldap nslcd
I also later found an article that said that libpam-ldapd
is newer than libpam-ldap
and installed that instead.
libnss-ldap
prompts you for some configuration and creates a /etc/libnss-ldap.conf
file. Then libpam-ldap
uninstalls libnss-ldap
but leaves its config file behind. Apparently that config file is still meaningful because that's the one it's using and I had an error in the binddn in that file. After fixing the binddn, it worked.
I really don't know why you'd install both of those ldap modules. After getting the first client VM working, I setup another client VM using just libpam-ldapd and nslcd and it worked first time.
answered Jan 14 at 1:57
dwilliss
1338
1338
add a comment |Â
add a comment |Â
up vote
0
down vote
Ensure you have a /etc/pam.d/sshd
with the following content:
auth sufficient pam_ldap.so
account sufficient pam_permit.so
Then, run sudo /usr/sbin/pam-auth-update
and you restart the sshd
service.
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in/etc/pam.d/sshd
also anyway but it didn't help. Also, the LDAP users don't show up when you dogetent passwd
either.
â dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you dogetent passwd
either. <---- this means your LDAP config is incorrect!
â thecarpy
Jan 14 at 9:31
add a comment |Â
up vote
0
down vote
Ensure you have a /etc/pam.d/sshd
with the following content:
auth sufficient pam_ldap.so
account sufficient pam_permit.so
Then, run sudo /usr/sbin/pam-auth-update
and you restart the sshd
service.
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in/etc/pam.d/sshd
also anyway but it didn't help. Also, the LDAP users don't show up when you dogetent passwd
either.
â dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you dogetent passwd
either. <---- this means your LDAP config is incorrect!
â thecarpy
Jan 14 at 9:31
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Ensure you have a /etc/pam.d/sshd
with the following content:
auth sufficient pam_ldap.so
account sufficient pam_permit.so
Then, run sudo /usr/sbin/pam-auth-update
and you restart the sshd
service.
Ensure you have a /etc/pam.d/sshd
with the following content:
auth sufficient pam_ldap.so
account sufficient pam_permit.so
Then, run sudo /usr/sbin/pam-auth-update
and you restart the sshd
service.
answered Jan 13 at 11:28
thecarpy
2,210824
2,210824
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in/etc/pam.d/sshd
also anyway but it didn't help. Also, the LDAP users don't show up when you dogetent passwd
either.
â dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you dogetent passwd
either. <---- this means your LDAP config is incorrect!
â thecarpy
Jan 14 at 9:31
add a comment |Â
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in/etc/pam.d/sshd
also anyway but it didn't help. Also, the LDAP users don't show up when you dogetent passwd
either.
â dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you dogetent passwd
either. <---- this means your LDAP config is incorrect!
â thecarpy
Jan 14 at 9:31
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in
/etc/pam.d/sshd
also anyway but it didn't help. Also, the LDAP users don't show up when you do getent passwd
either.â dwilliss
Jan 14 at 0:39
It includes the common-auth and common-account files which both are configured to have those. I tried putting them in
/etc/pam.d/sshd
also anyway but it didn't help. Also, the LDAP users don't show up when you do getent passwd
either.â dwilliss
Jan 14 at 0:39
Also, the LDAP users don't show up when you do
getent passwd
either. <---- this means your LDAP config is incorrect!â thecarpy
Jan 14 at 9:31
Also, the LDAP users don't show up when you do
getent passwd
either. <---- this means your LDAP config is incorrect!â thecarpy
Jan 14 at 9:31
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f416731%2fldap-and-pam-working-for-gui-login-but-not-ssh%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Does
getent passwd
return the full user list? Are you using thelibpam-ldapd
package (recommended overlibpam-ldap
)?â Ferenc Wágner
Jan 13 at 20:47