Il semblerait que mon serveur ssh veuille bien se connecter au server ldap mais j'ai un probleme :
root@serv:~# ssh VivekVats@monIP
VivekVats@monIP's password:
Your account has expired; please contact your system administrator
Connection closed by monIP
et dans /var/log/auth.log :
Jul 23 10:50:06 localhost sshd[1506]: pam_unix(sshd:account): account VivekVats has expired (account expired)
Jul 23 10:50:06 localhost sshd[1506]: Failed password for VivekVats from monIP port 54504 ssh2
Hum, quand je suis log sur mon serveur ldap via ssh :
####
monsite@dev:~$ ldapsearch *
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
###
Voici le slapd.conf :
#######
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel none
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend hdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend
#######################################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database hdb
# The base of your directory in database #1
suffix "dc=ldap,dc=mon-site,dc=com"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=dtsl,dc=ldap,dc=mon-site,dc=com"
rootpw {SSHA}oO8qGdP66+KCGdKWq3ukZrn8zUkDX0z7
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=dtsl,dc=ldap,dc=mon-site,dc=com" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=dtsl,dc=ldap,dc=mon-site,dc=com" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=dtsl,dc=ldap,dc=mon-site,dc=com" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be hdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
############
Même erreur quand je change l'ordre ...
Je pense que ça vient du fichier de connection au serveur ldap...
Voici mon fichier ldap.conf :
###DEBCONF###
##
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
##
## You should use dpkg-reconfigure to configure this file via debconf
##
#
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1
# The distinguished name of the search base.
base dc=ldap,dc=mon-site,dc=com
# Another way to specify your LDAP server is to provide an
uri ldap://ldap.mon-site.com
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=dtsl,dc=ldap,dc=mon-site,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=employees,dc=ldap,dc=mon-site,dc=com
nss_base_shadow ou=employees,dc=ldap,dc=mon-site,dc=com
nss_base_group ou=groups,dc=ldap,dc=mon-site,dc=com
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
nss_initgroups_ignoreusers Debian-exim,amavis,avahi,avahi-autoipd,backup,bin,bind,clamav,daemon,dkimproxy,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,pulse,root,saned,sshd,sync,sys,syslog,uucp,www-data
###############""
J'ai réussi à revenir en arrière pour que mes users locaux puissent se connecter..
J'aimerais surtout savoir si dans la procédure du tuto, il manque certaine choses ou alors si elles sont incomplètes !
Si je pouvais aussi connaitre quelques actions pour tenter de débugger (des logs à retrouver, des tests à lancer....?)
C'est une très bonne idée, je vais faire comme ça aussi ...
Donc je peux mettre tout mes users ldap dans un seul GID, c'est aussi bien ?
Par contre, pour les UID, je sais pas comment en avoir un différent à chaque fois .. J'ai pas envie de devoir aller chercher le dernier UID rentré pour savoir lequel je dois mettre ...
Hum, en fait pour l'uid, c'est moi qui perdais la boule ...
Je mélangeais avec le GID ! Est il indispensable ? Si oui, je pense que je peux tout le temps mettre 50 non ? Vu que c'est le groupe d'users par défaut ?
LUMA ne fonctionne qu'à moitié ici ... Quand je créé un groupe, je ne le retrouve pas dans ma liste de groupe ! (et impossible de créer des Organizational Unit...)
Par contre, avec phpldapadmin ca marche pas trop mal... Le seul problème, c'est qu'avec un posixGroup, je peux spécifier un UID... Est ce indispensable dans mon cas, si je n'en spécifie pas, j'ai peur que ça créé un peu le bazar non ?
Mais justement, je ne veux pas que mes users aient leur propre /home/user ...
En fait, j'aimerais juste que je puisse vérifier qui se connecte, mais qu'il n'aient pas de /home et qu'après, ils puissent se connecter en root si besoin est !
Mais du coup, je me dis que ca va être compliqué ....
Par contre, il serait possible d'avoir un compte "invité" sur chaque serveur et que quand un employé se connecte, il soit sur ce compte ... ?
Effectivement, la ligne ssh ne semble pas fonctionner ...
L'option pw ne semble pas exister malgrès qu'il me semble l'avoir vu quelque part sur le net...
En fait, je ne veux transférer que certains dossiers/fichiers qui sont stockés dans un fichier ($BACK_FILE est le chemin du fichier)
Peut être il y a t'il un autre moyen plutôt que d'utiliser rsync ou peut être que je l'utilise mal et qu'il faut repartir de 0 ? :(
C'est ce que j'ai dit, je ne peux malheureusement pas utiliser les clés ssh ! J'ai bien vu partout sur internet que ca serait 10 000 fois plus facile, malheureusement, c'est impossible pour moi...
# Il semble se connecter...
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
root@serv:~# ssh VivekVats@monIP
VivekVats@monIP's password:
Your account has expired; please contact your system administrator
Connection closed by monIP
et dans /var/log/auth.log :
Jul 23 10:50:06 localhost sshd[1506]: pam_unix(sshd:account): account VivekVats has expired (account expired)
Jul 23 10:50:06 localhost sshd[1506]: Failed password for VivekVats from monIP port 54504 ssh2
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
L'entrée VivekVats a bien un champ userPassword mais ici ce n'est pas vraiment à ceci que l'on s'intérésse car c'est dans la partie clients.
Je voudrais pour l'instant m'intérésser à la partie employees.
Où dois je effectuer les getent et que dois je avoir en retour ?
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
ldapsearch -u "monsite" -x -h localhost -b "dc=ldap,dc=mon-site,dc=com" "objectclass=*"
Ne me sort rien de plus ... :(
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
Peut être faut il noter que j'utilise monsite comme login pour me connecter via phpldapadmin et non admin...?
root@dev:/home/monsite# ldapsearch -x -h localhost -b "dc=ldap,dc=mon_site,dc=com" "objectclass=*"
# extended LDIF
#
# LDAPv3
# base <dc=ldap,dc=mon_site,dc=com> with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# ldap.mon_site.com
dn: dc=ldap,dc=mon_site,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: monsite
dc: ldap
businessCategory: mail
# admin, ldap.mon_site.com
dn: cn=admin,dc=ldap,dc=mon_site,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# groups, ldap.mon_site.com
dn: ou=groups,dc=ldap,dc=mon_site,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
# clients, ldap.mon_site.com
dn: ou=clients,dc=ldap,dc=mon_site,dc=com
objectClass: organizationalUnit
objectClass: top
ou: clients
# employees, ldap.mon_site.com
dn: ou=employees,dc=ldap,dc=mon_site,dc=com
objectClass: organizationalUnit
objectClass: top
ou: employees
# admin, ldap.mon_site.com
dn: ou=admin,dc=ldap,dc=mon_site,dc=com
objectClass: organizationalUnit
objectClass: top
ou: admin
# VivekVats, clients, ldap.mon_site.com
dn: uid=VivekVats,ou=clients,dc=ldap,dc=mon_site,dc=com
uid: VivekVats
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
uidNumber: 1024
gidNumber: 1
gecos: Vivek Vats
sn: VivekVats
homeDirectory: /home
mail: vivek.vats@silverlineit.com
shadowExpire: 10957
cn: Vivek Vats
# serverSSH1, groups, ldap.mon_site.com
dn: cn=serverSSH1,ou=groups,dc=ldap,dc=mon_site,dc=com
cn: serverSSH1
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=VivekVats,ou=clients,dc=ldap,dc=mon_site,dc=com
uniqueMember: cn=AnkurAgarwal,ou=employees,dc=ldap,dc=mon_site,dc=com
# AnkurAgarwal, employees, ldap.mon_site.com
dn: cn=AnkurAgarwal,ou=employees,dc=ldap,dc=mon_site,dc=com
cn: AnkurAgarwal
gidNumber: 100
objectClass: posixGroup
objectClass: top
# TomDubin, employees, ldap.mon_site.com
dn: cn=TomDubin,ou=employees,dc=ldap,dc=mon_site,dc=com
cn: TomDubin
gidNumber: 50
objectClass: posixGroup
objectClass: top
# KapilKumar, employees, ldap.mon_site.com
dn: cn=KapilKumar,ou=employees,dc=ldap,dc=mon_site,dc=com
cn: KapilKumar
gidNumber: 10000
memberUid: KapilKumar
objectClass: posixGroup
objectClass: top
# serverSSH2, groups, ldap.mon_site.com
dn: cn=serverSSH2,ou=groups,dc=ldap,dc=mon_site,dc=com
cn: serverSSH2
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: cn=AnkurAgarwal,ou=employees,dc=ldap,dc=mon_site,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 13
# numEntries: 12
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
root@dev:/home/monsite# ldapsearch -h localhost -b "dc=ldap,dc=mon-site,dc=com" "objectclass=*"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
####
monsite@dev:~$ ldapsearch *
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
###
Voici le slapd.conf :
#######
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel none
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend hdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend
#######################################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database hdb
# The base of your directory in database #1
suffix "dc=ldap,dc=mon-site,dc=com"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=dtsl,dc=ldap,dc=mon-site,dc=com"
rootpw {SSHA}oO8qGdP66+KCGdKWq3ukZrn8zUkDX0z7
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=dtsl,dc=ldap,dc=mon-site,dc=com" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=dtsl,dc=ldap,dc=mon-site,dc=com" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=dtsl,dc=ldap,dc=mon-site,dc=com" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be hdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
############
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
Tu veux le schéma de l'annuaire ?
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
Je pense que ça vient du fichier de connection au serveur ldap...
Voici mon fichier ldap.conf :
###DEBCONF###
##
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
##
## You should use dpkg-reconfigure to configure this file via debconf
##
#
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1
# The distinguished name of the search base.
base dc=ldap,dc=mon-site,dc=com
# Another way to specify your LDAP server is to provide an
uri ldap://ldap.mon-site.com
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=dtsl,dc=ldap,dc=mon-site,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=employees,dc=ldap,dc=mon-site,dc=com
nss_base_shadow ou=employees,dc=ldap,dc=mon-site,dc=com
nss_base_group ou=groups,dc=ldap,dc=mon-site,dc=com
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
nss_initgroups_ignoreusers Debian-exim,amavis,avahi,avahi-autoipd,backup,bin,bind,clamav,daemon,dkimproxy,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,pulse,root,saned,sshd,sync,sys,syslog,uucp,www-data
###############""
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
###########
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_ldap.so
password required pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
###########
/!\ NeoX : l'option c'est bien use_first_password et pas user_first_password ;-)
Par contre, il ne va rien chercher sur mon serveur ldap... Je ne sais pas comment le lui dire !
voici mon /etc/nsswitch.conf :
##########
passwd: files ldap
group: files ldap
shadow: files ldap
###########
P.S. : j'arrive pas à formater mon code pour que ça soit plus propre dans les posts, c'est possible ?
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
Voilà ce que j'ai :
Jul 21 17:08:53 localhost sshd[3037]: Invalid user AnkurAgarwal from 91.121.23.66
Jul 21 17:08:53 localhost sshd[3037]: Failed none for invalid user AnkurAgarwal from 91.121.23.66 port 56280 ssh2
Jul 21 17:09:05 localhost sshd[3037]: pam_unix(sshd:auth): check pass; user unknown
Jul 21 17:09:05 localhost sshd[3037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns39520.ovh.net
Jul 21 17:09:08 localhost sshd[3037]: Failed password for invalid user AnkurAgarwal from 91.121.23.66 port 56280 ssh2
J'en conclu donc aisément, qu'il ne va même pas chercher mon annuaire n'est ce pas ?
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
Par contre, j'ai beau regarder à peu près tout les logs, aucune trace de mes tentatives de connexions ... :x
[^] # Re: peut-etre qu'avec les extraits de tes fichiers de configuration...
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
dans /etc/ssh/sshd_config
2) OK
3) Je joue où exactement ? :)
4) J'ai mis tout les GID de mes users à 10000 et mes UID sont sous la forme "MartinMichel" ou "JacquesFrancois".
[^] # Re: Que donnent les logs SSH ?
Posté par Arkezis (site web personnel) . En réponse au message SSH + LDAP : aucune connection acceptée. Évalué à 1.
J'aimerais surtout savoir si dans la procédure du tuto, il manque certaine choses ou alors si elles sont incomplètes !
Si je pouvais aussi connaitre quelques actions pour tenter de débugger (des logs à retrouver, des tests à lancer....?)
[^] # Re: allowGroup/sshd
Posté par Arkezis (site web personnel) . En réponse au message [LDAP] Conception annuaire d'entreprise. Évalué à 1.
Donc je peux mettre tout mes users ldap dans un seul GID, c'est aussi bien ?
Par contre, pour les UID, je sais pas comment en avoir un différent à chaque fois .. J'ai pas envie de devoir aller chercher le dernier UID rentré pour savoir lequel je dois mettre ...
Un UID est forcément un int ?
(voir le lien : http://www.nabble.com/LDAP-membership-represented-by-memberU(...) )
[^] # Re: allowGroup/sshd
Posté par Arkezis (site web personnel) . En réponse au message [LDAP] Conception annuaire d'entreprise. Évalué à 1.
Je mélangeais avec le GID ! Est il indispensable ? Si oui, je pense que je peux tout le temps mettre 50 non ? Vu que c'est le groupe d'users par défaut ?
[^] # Re: allowGroup/sshd
Posté par Arkezis (site web personnel) . En réponse au message [LDAP] Conception annuaire d'entreprise. Évalué à 1.
[^] # Re: allowGroup/sshd
Posté par Arkezis (site web personnel) . En réponse au message [LDAP] Conception annuaire d'entreprise. Évalué à 1.
Par contre, avec phpldapadmin ca marche pas trop mal... Le seul problème, c'est qu'avec un posixGroup, je peux spécifier un UID... Est ce indispensable dans mon cas, si je n'en spécifie pas, j'ai peur que ça créé un peu le bazar non ?
[^] # Re: allowGroup/sshd
Posté par Arkezis (site web personnel) . En réponse au message [LDAP] Conception annuaire d'entreprise. Évalué à 1.
Il faut que j'ajoute des attributs ?
(pour info, j'utilise phpldapadmin)
[^] # Re: allowGroup/sshd
Posté par Arkezis (site web personnel) . En réponse au message [LDAP] Conception annuaire d'entreprise. Évalué à 1.
Mais comment cela se modélisera t'il pour attacher un utilisateur à un groupe ? (je sais pas si je me fais bien comprendre >_< )
[^] # Re: allowGroup/sshd
Posté par Arkezis (site web personnel) . En réponse au message [LDAP] Conception annuaire d'entreprise. Évalué à 1.
Mais j'étais plus embêté quand à l'implémentation de ces groupes dans ldap...
Une piste peut être ? ;-)
[^] # Re: pourquoi pas
Posté par Arkezis (site web personnel) . En réponse au message [LDAP] Conception annuaire d'entreprise. Évalué à 1.
En fait, j'aimerais juste que je puisse vérifier qui se connecte, mais qu'il n'aient pas de /home et qu'après, ils puissent se connecter en root si besoin est !
Mais du coup, je me dis que ca va être compliqué ....
Par contre, il serait possible d'avoir un compte "invité" sur chaque serveur et que quand un employé se connecte, il soit sur ce compte ... ?
[^] # Re: Simplifie
Posté par Arkezis (site web personnel) . En réponse au message Rsync sur un serveur distant (avec mot de passe en clair). Évalué à 1.
Ca marche chez moi, merci beaucoup :)
[^] # Re: Simplifie
Posté par Arkezis (site web personnel) . En réponse au message Rsync sur un serveur distant (avec mot de passe en clair). Évalué à 1.
L'option pw ne semble pas exister malgrès qu'il me semble l'avoir vu quelque part sur le net...
En fait, je ne veux transférer que certains dossiers/fichiers qui sont stockés dans un fichier ($BACK_FILE est le chemin du fichier)
Peut être il y a t'il un autre moyen plutôt que d'utiliser rsync ou peut être que je l'utilise mal et qu'il faut repartir de 0 ? :(
[^] # Re: Rsync sur un serveur distant (avec mot de passe en clair)
Posté par Arkezis (site web personnel) . En réponse au message Rsync sur un serveur distant (avec mot de passe en clair). Évalué à 1.
C'est ce que j'ai dit, je ne peux malheureusement pas utiliser les clés ssh ! J'ai bien vu partout sur internet que ca serait 10 000 fois plus facile, malheureusement, c'est impossible pour moi...
Une autre solution ? =D