Re: Unable to make postgres + pam_ldap to work agains LDAP server using ldaps schema

Anyone to help?

On Tue, Mar 22, 2016, 14:06 Diogo Kiss <diogokiss(at)gmail(dot)com> wrote:

>
> Hi,
>
> I having trouble to configure Postgres to use PAM authentication + LDAP.
>
> I managed to configure successfully pam_ldap.so module to
> * Authorize (account) *SSH* users from specific groups
> * Authenticate (auth) and authorize (account) users via *su*
>
> But, when I tried to use it to authenticate PostgreSQL against my LDAP
> server, I get a message saying nothing else than:
>
> $ psql -h localhost -U dki -d payment
>> Password for user dki:
>> psql: FATAL: PAM authentication failed for user "dki"
>> FATAL: PAM authentication failed for user "dki"
>
>
> Logs from /var/log/* and /var/log/postgres/* are the following
>
> 2016-03-22T11:02:34.155848+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49030) : pam_ldap: ldap_simple_bind Can't contact LDAP server
>> 2016-03-22T11:02:34.156137+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49030) : pam_ldap: reconnecting to LDAP server...
>> 2016-03-22T11:02:34.198306+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49030) : pam_ldap: ldap_simple_bind Can't contact LDAP server
>> [2016-03-22 11:02:34.198 UTC] 127.0.0.1 56f1264a.3357 payment LOG:
>> could not receive data from client: Connection reset by peer
>> [2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment LOG:
>> pam_authenticate failed: Authentication failure
>> [2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment FATAL:
>> PAM authentication failed for user "dki"
>> [2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment DETAIL:
>> Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam "
>> 2016-03-22T11:02:37.160995+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
>> 2016-03-22T11:02:37.161091+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49033) : pam_ldap: reconnecting to LDAP server...
>> 2016-03-22T11:02:37.194711+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
>> 2016-03-22T11:02:37.194952+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
>> 2016-03-22T11:02:37.195122+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49033) : pam_ldap: reconnecting to LDAP server...
>> 2016-03-22T11:02:37.228302+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
>> [2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment LOG:
>> pam_authenticate failed: Authentication failure
>> [2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment FATAL:
>> PAM authentication failed for user "dki"
>> [2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment DETAIL:
>> Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam "
>> 2016-03-22T11:02:37.266582+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server
>> 2016-03-22T11:02:37.266682+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49037) : pam_ldap: reconnecting to LDAP server...
>> 2016-03-22T11:02:37.299936+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server
>> 2016-03-22T11:02:37.300098+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server
>> 2016-03-22T11:02:37.300189+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49037) : pam_ldap: reconnecting to LDAP server...
>> [2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment LOG:
>> pam_authenticate failed: Authentication failure
>> [2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment FATAL:
>> PAM authentication failed for user "dki"
>> [2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment DETAIL:
>> Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam "
>> 2016-03-22T11:02:37.334239+00:00 base-i-vagranto.vagrant.test.ts.sv
>> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server
>
>
> Without the reason that pam_ldap can't contact the LDAP server, I can't
> fix it. =(
>
> My configuration files are as follows:
>
> */etc/nsswitch.conf:*
> passwd: files ldap
> group: files ldap
> shadow: files ldap
> hosts: files myhostname dns
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
>
> */etc/nslcd.conf:*
> uid nslcd
> gid nslcd
> uri ldaps://myserver.com:636
> base dc=mycompany,dc=com
> ssl on
> tls_reqcert demand
> tls_cacertfile /etc/mycompany/tls/mycompany_ca.cert
> tls_cert /etc/mycompany/tls/client.cert
> tls_key /etc/mycompany/tls/client.key
> filter shadow (objectClass=posixAccount)
> bind_timelimit 2
> timelimit 2
> reconnect_sleeptime 1
> reconnect_retrytime 1
>
> */etc/ldap.conf:*
> base dc=mycompany,dc=com
> uri ldaps://myserver.com:636
> ldap_version 3
> port 636
> timelimit 2 # in seconds
> bind_timelimit 2 # in seconds
> nss_base_passwd ou=People,dc=mycompany,dc=com
> nss_base_shadow ou=People,dc= mycompany,dc=com
> nss_base_group ou=Group,dc=mycompany,dc=com
> ssl on
> tls_checkpeer yes
> tls_cacert /etc/mycompany/tls/mycompany_ca.cert
> tls_cert /etc/mycompany/tls/client.cert
> tls_key /etc/mycompany/tls/client.key
> nss_reconnect_tries 1
> nss_reconnect_sleeptime 1 # in seconds
> nss_reconnect_maxsleeptime 1 # in seconds
> nss_reconnect_maxconntries 1
> nss_initgroups_ignoreusers
> backup,bin,bind,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,proxy,root,sshd,sync,sys,syslog,uucp,www-data,zabbix
>
> */etc/pam.d/postgresql:*
> auth sufficient pam_ldap.so try_first_pass ignore_authinfo_unavail
> auth requisite pam_deny.so
>
>
> *$ ls -lh /etc/ldap/ldap.conf*
> lrwxrwxrwx 1 root root 14 Mar 22 10:31 /etc/ldap/ldap.conf ->
> /etc/ldap.conf
>
>
> Can anyone help me out or point out how to increase debug information?
>
> According to: http://linux.die.net/man/5/pam_ldap
>
> *debug*This option is recognized by *pam_ldap* but is presently *ignored*.
>
> Thanks in advance,
>
> --
> Diogo Kiss
> E-mail : diogokiss(at)gmail(dot)com
> Tel.: +45 2834 1111
> GTalk: diogokiss(at)gmail(dot)com
> MSN: diogokiss(at)gmail(dot)com
> Y!: diogokiss
>