| Yubico Forum https://forum.yubico.com/ |
|
| PAM user/yubikey mapping in LDAP https://forum.yubico.com/viewtopic.php?f=5&t=455 |
Page 1 of 1 |
| Author: | dave_marsh_pw [ Mon Jan 11, 2010 9:04 pm ] |
| Post subject: | PAM user/yubikey mapping in LDAP |
I did a quick search and didn't see any existing topics I could post this in. I'm using the PAM module along with Radius and LDAP to authenticate users on a VPN. Radius is configured to use the Linux PAM system. The Radius PAM entry is configured to use two factor authentication (unix_password + otp). This is done by using the yubico PAM to authenticate the OTP, then passing the remainder of the password to common-auth which checks with LDAP. The username/yubikeyid mapping is done with an authfile. This all works just fine. I ran into trouble when I tried to move the mapping into LDAP. Upon specifying the required parameters (ldapserver, ldapdn, user_attr, yubi_attr) the authentication failed and my log file contained the following: Code: [pam_yubico.c:pam_sm_authenticate(541)] ykclient return value (0): Success [pam_yubico.c:authorize_user_token_ldap(255)] ldap-dn: cn=mytest,ou=people,dc=pwturbolink,dc=com [pam_yubico.c:authorize_user_token_ldap(256)] ldap-filter: (yubikeyid=*) [pam_yubico.c:authorize_user_token_ldap(262)] ldap_search_ext_s: No such object [pam_yubico.c:pam_sm_authenticate(568)] Yubikey not authorized to login as user [pam_yubico.c:pam_sm_authenticate(583)] done. [Authentication service cannot retrieve authentication info] The ldap_search_ext_s: No such object error indicates that it authenticated and performed a search just fine and came back with nothing. Upong inserting the same search criteria into a python script I wrote for testing, I received the same results. I began to play around and noticed that if I used the following criteria, I was able to retrieve the necessary data: Code: baseDN = "ou=people,dc=pwturbolink,dc=com" searchFilter = "(&(cn=mytest)(yubikeyid=*))" I rewrote the authorize_user_token_ldap to reflect these changes and did not receive an error from ldap_search_ext_s. I was about to rewrite the code the parses that results when I realized this probably isn't the way to go. Does anybody else have the mapping stored in LDAP working "out of the box"? Have I mis-configured LDAP somehow? EDIT: I almost forgot. My very first attempt yielded a "Protocol Error" from ldap_simple_bind_s. I had to add the following lines to move past it: Code: int ldap_version = LDAP_VERSION3;
<after the call to ldap_init> ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &ldap_version); |
|
| Author: | dave_marsh_pw [ Mon Jan 11, 2010 9:06 pm ] |
| Post subject: | Re: PAM user/yubikey mapping in LDAP |
Server Information that is typically requested: 1) OS: Ubuntu 9.10 2) Yubico PAM Version: 2.2 3) LDAP: 2.4.18 4) /etc/pam.d/RADIUSD Code: auth required /lib/security/pam_yubico.so id=1 key=eraser debug url=http://localhost/yubico/val/verify?id=%d&otp=%s ldapserver=127.0.0.1 ldapdn=ou=people,dc=pwturbolink,dc=com user_attr=cn yubi_attr=yubikeyid @include common-auth @include common-account @include common-password @include common-session 5) Installed my own validation server |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|