Centralized authentication with LDAP - failing (384 Views)
Reply
Advisor
PM Srividhya
Posts: 33
Registered: ‎02-14-2007
Message 1 of 4 (384 Views)
Accepted Solution

Centralized authentication with LDAP - failing

Hello,

 

We are trying to centralize the OS authentication with LDAP using OID (Oracle internet Directory).


It works fine with our Linux servers on different flavours; but on HP-UX its failing.

 

Below is the snippet from the ssh debug session:

 

$ ssh -vvv srinivas.kalyan@jnmddb01
.
.
.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
LDAP Password:
debug3: packet_send2: adding 32 (len 26 padlen 6 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cfd -1)

debug3: channel 0: close_fds r 4 w 5 e 6 c -1
Connection to jnmddb01 closed by remote host.
Connection to jnmddb01 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 79 bytes in 0.4 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 193.3
debug1: Exit status -1


The user-id is recognised from the LDAP integration commands like beq, pwget:


$ /opt/ldapux/contrib/bin/beq -k n -s pwd -l /usr/lib/hpux32/libnss_ldap.so.1 srinivas.kalyan -H 5
nss_status .............. NSS_SUCCESS
pw_name...........(srinivas.kalyan)
pw_passwd.........(*)
pw_uid............(506)
pw_gid............(501)
pw_age............()
pw_comment........()
pw_gecos..........(srinivas.kalyan)
pw_dir............(/home/srinivas.kalyan)
pw_shell..........(/bin/bash)
pw_audid..........(0)
pw_audflg.........(0)
jnmddb01::root>nsquery passwd srinivas.kalyan

Using "files ldap" for the passwd policy.

Searching /etc/passwd for srinivas.kalyan
srinivas.kalyan was NOTFOUND

Switch configuration: Allows fallback

Searching ldap for srinivas.kalyan
User name: srinivas.kalyan
User Id: 506
Group Id: 501
Gecos: srinivas.kalyan
Home Directory: /home/srinivas.kalyan
Shell: /bin/bash

Switch configuration: Terminates Search

 

$ pwget -n srinivas.kalyan
srinivas.kalyan:*:506:501:srinivas.kalyan:/home/srinivas.kalyan:/bin/bash


Is there any other configuration required from the PAM?

 

Any pointers to solve this will be highly appreciated!

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 2 of 4 (376 Views)

Re: Centralized authentication with LDAP - failing

[ Edited ]

The SSH client debug output includes:

 

> debug1: Authentication succeeded (keyboard-interactive).

 

and:

 

> debug1: Entering interactive session.

 

These would suggest that the authentication phase has been successfully completed and a login session is starting, but then something causes the session to immediately end. So the problem might not be authentication, but perhaps something else, like not being able to start the configured shell.

 

First, check the basics:

- is the home directory /home/srinivas.kalyan accessible?

 

- the shell is listed as /bin/bash in LDAP. Does /bin/bash exist in this system?

 

- is /bin/bash working normally? (I think some old versions of bash had a bug that caused sessions to die like this on some versions of HP-UX. Maybe on 11.23 and PA-RISC?)

 

- does /etc/shells exist, and is /bin/bash listed in it?

(If /etc/shells does not exist, the system uses a hard-coded list of standard shells. See "man getusershell". If you create /etc/shells, you should add the standard shells to it too.)

 

- do you have a custom shell startup script (~/.profile, ~/.bash_profile or ~/.bashrc) which might end the session automatically if some conditions are true? Does /etc/profile have any customizations?

 

You should also look at /var/adm/syslog/syslog.log on the server: when login fails, sshd usually logs a sensible error message. For security reasons, this error message is not sent to the client. (No reason to tell a possible intruder exactly why his/her intrusion attempt failed. A legitimate user can contact the server administrator and get the information that way.)

MK
Advisor
PM Srividhya
Posts: 33
Registered: ‎02-14-2007
Message 3 of 4 (352 Views)

Re: Centralized authentication with LDAP - failing

Thanks MK for your response.

 

The issue seems to be due to inability of HP-UX to create users with more than 8 characters as we are trying to map the AD user-id to the unix user.

 

May be should try enabling the long username option of 11.31?! 

 

Thanks,

Srividhya

 

 

Advisor
PM Srividhya
Posts: 33
Registered: ‎02-14-2007
Message 4 of 4 (344 Views)

Re: Centralized authentication with LDAP - failing

Converted the system to untrusted mode and enabled long usernames and now the authentication from LDAP is working.

 

Thanks!

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.