Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:01 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Mon Jan 11, 2010 9:04 pm 
Offline

Joined: Fri Nov 13, 2009 6:35 pm
Posts: 5
I did a quick search and didn't see any existing topics I could post this in.

I'm using the PAM module along with Radius and LDAP to authenticate users on a VPN. Radius is configured to use the Linux PAM system.

The Radius PAM entry is configured to use two factor authentication (unix_password + otp). This is done by using the yubico PAM to authenticate the OTP, then passing the remainder of the password to common-auth which checks with LDAP. The username/yubikeyid mapping is done with an authfile.

This all works just fine.

I ran into trouble when I tried to move the mapping into LDAP. Upon specifying the required parameters (ldapserver, ldapdn, user_attr, yubi_attr) the authentication failed and my log file contained the following:
Code:
[pam_yubico.c:pam_sm_authenticate(541)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token_ldap(255)] ldap-dn: cn=mytest,ou=people,dc=pwturbolink,dc=com
[pam_yubico.c:authorize_user_token_ldap(256)] ldap-filter: (yubikeyid=*)
[pam_yubico.c:authorize_user_token_ldap(262)] ldap_search_ext_s: No such object
[pam_yubico.c:pam_sm_authenticate(568)] Yubikey not authorized to login as user
[pam_yubico.c:pam_sm_authenticate(583)] done. [Authentication service cannot retrieve authentication info]


The ldap_search_ext_s: No such object error indicates that it authenticated and performed a search just fine and came back with nothing. Upong inserting the same search criteria into a python script I wrote for testing, I received the same results.

I began to play around and noticed that if I used the following criteria, I was able to retrieve the necessary data:

Code:
baseDN = "ou=people,dc=pwturbolink,dc=com"
searchFilter = "(&(cn=mytest)(yubikeyid=*))"


I rewrote the authorize_user_token_ldap to reflect these changes and did not receive an error from ldap_search_ext_s. I was about to rewrite the code the parses that results when I realized this probably isn't the way to go.

Does anybody else have the mapping stored in LDAP working "out of the box"? Have I mis-configured LDAP somehow?


EDIT: I almost forgot. My very first attempt yielded a "Protocol Error" from ldap_simple_bind_s. I had to add the following lines to move past it:
Code:
int ldap_version = LDAP_VERSION3;

<after the call to ldap_init>

ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);



Last edited by dave_marsh_pw on Mon Jan 11, 2010 9:27 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jan 11, 2010 9:06 pm 
Offline

Joined: Fri Nov 13, 2009 6:35 pm
Posts: 5
Server Information that is typically requested:

1) OS: Ubuntu 9.10
2) Yubico PAM Version: 2.2
3) LDAP: 2.4.18
4) /etc/pam.d/RADIUSD
Code:
auth required /lib/security/pam_yubico.so id=1 key=eraser debug url=http://localhost/yubico/val/verify?id=%d&otp=%s ldapserver=127.0.0.1 ldapdn=ou=people,dc=pwturbolink,dc=com user_attr=cn yubi_attr=yubikeyid
       
@include common-auth
@include common-account
@include common-password
@include common-session


5) Installed my own validation server


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group