Yubico Forum ...visit our web-store at 2010-01-11T21:27:44+01:00 https://forum.yubico.com/feed.php?f=5&t=455 2010-01-11T21:06:36+01:00 2010-01-11T21:06:36+01:00 https://forum.yubico.com/viewtopic.php?t=455&p=1956#p1956 <![CDATA[Re: PAM user/yubikey mapping in LDAP]]>
1) OS: Ubuntu 9.10
2) Yubico PAM Version: 2.2
3) LDAP: 2.4.18
4) /etc/pam.d/RADIUSD
Code:
auth required /lib/security/pam_yubico.so id=1 key=eraser debug url=http://localhost/yubico/val/verify?id=%d&otp=%s ldapserver=127.0.0.1 ldapdn=ou=people,dc=pwturbolink,dc=com user_attr=cn yubi_attr=yubikeyid
       
@include common-auth
@include common-account
@include common-password
@include common-session


5) Installed my own validation server

Statistics: Posted by dave_marsh_pw — Mon Jan 11, 2010 9:06 pm

]]> 2010-01-11T21:27:44+01:00 2010-01-11T21:04:15+01:00 https://forum.yubico.com/viewtopic.php?t=455&p=1954#p1954 <![CDATA[PAM user/yubikey mapping in LDAP]]>
I'm using the PAM module along with Radius and LDAP to authenticate users on a VPN. Radius is configured to use the Linux PAM system.

The Radius PAM entry is configured to use two factor authentication (unix_password + otp). This is done by using the yubico PAM to authenticate the OTP, then passing the remainder of the password to common-auth which checks with LDAP. The username/yubikeyid mapping is done with an authfile.

This all works just fine.

I ran into trouble when I tried to move the mapping into LDAP. Upon specifying the required parameters (ldapserver, ldapdn, user_attr, yubi_attr) the authentication failed and my log file contained the following:
Code:
[pam_yubico.c:pam_sm_authenticate(541)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token_ldap(255)] ldap-dn: cn=mytest,ou=people,dc=pwturbolink,dc=com
[pam_yubico.c:authorize_user_token_ldap(256)] ldap-filter: (yubikeyid=*)
[pam_yubico.c:authorize_user_token_ldap(262)] ldap_search_ext_s: No such object
[pam_yubico.c:pam_sm_authenticate(568)] Yubikey not authorized to login as user
[pam_yubico.c:pam_sm_authenticate(583)] done. [Authentication service cannot retrieve authentication info]


The ldap_search_ext_s: No such object error indicates that it authenticated and performed a search just fine and came back with nothing. Upong inserting the same search criteria into a python script I wrote for testing, I received the same results.

I began to play around and noticed that if I used the following criteria, I was able to retrieve the necessary data:

Code:
baseDN = "ou=people,dc=pwturbolink,dc=com"
searchFilter = "(&(cn=mytest)(yubikeyid=*))"


I rewrote the authorize_user_token_ldap to reflect these changes and did not receive an error from ldap_search_ext_s. I was about to rewrite the code the parses that results when I realized this probably isn't the way to go.

Does anybody else have the mapping stored in LDAP working "out of the box"? Have I mis-configured LDAP somehow?


EDIT: I almost forgot. My very first attempt yielded a "Protocol Error" from ldap_simple_bind_s. I had to add the following lines to move past it:
Code:
int ldap_version = LDAP_VERSION3;

<after the call to ldap_init>

ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);

Statistics: Posted by dave_marsh_pw — Mon Jan 11, 2010 9:04 pm

]]>