WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: can't make openldap auth working purecore64 7.2  (Read 490 times)

Offline |eric|

  • WikiUser
  • *
  • Posts: 4
can't make openldap auth working purecore64 7.2
« on: January 03, 2017, 12:37:02 AM »
hi
i'm trying to enable ldap authentication both on ssh and console but apparently busybox and the initrd configuration is preventing this from working. tried encrypting the password as SHA and SSHA to no avail in JXplorer. it looks like its not even authenticating against ldap tried both local and ssh ( openssh dosen't even suport pam aparently in this build)

i tried this from the openldap server  as well as another node on the network same issue (with older tinycore ... 6.3 x64 as well)


here is a few config files

/etc/nsswitch.conf:
Code: newbielink:javascript:void(0); [nonactive]
passwd:     files ldap
group:      files ldap
shadow:     files ldap
hosts:      files dns
networks:   files
rpc:        files
services:   files

/usr/local/ldap.conf
Code: newbielink:javascript:void(0); [nonactive]
BASE    dc=ericsolutions, dc=info
scope sub
suffix          "dc=mydomain,dc=info"
## when you want to change user's password by root
rootbinddn cn=admin,dc=mydomain,dc=info
## *** replaced my real domain name with mydomain above ***
## there are needed when your ldap dies
timelimit 5
bind_timelimit 5
uri ldap://10.0.1.4/

pam_password <stripped this but i tried plain text no info on this>
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid


nss_base_passwd ou=Computers,dc=cognifide,dc=pl
nss_base_passwd ou=People,dc=cognifide,dc=pl
nss_base_shadow ou=People,dc=cognifide,dc=pl
nss_base_group  ou=Group,dc=cognifide,dc=pl
nss_base_hosts  ou=Hosts,dc=cognifide,dc=pl

/usr/local/etc/pam.d/system-auth
Code: newbielink:javascript:void(0); [nonactive]
#system-authentication
auth required pam_env.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so nullok
auth required pam_deny.so

account sufficient pam_ldap.so
account required pam_unix.so

password sufficient pam_ldap.so
password sufficient pam_unix.so use_authtok nullok sha512
password required pam_deny.so

session  required   pam_limits.so
session required pam_unix.so
session optional pam_ldap.so

/usr/local/etc/ssh/sshd_config

 i stripped all the comments for readability  ;)

Code: newbielink:javascript:void(0); [nonactive]

PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
#UsePAM yes   <<<  this option is not valid but was in orig. config file.
PAMAuthenticationViaKbdInt yes
Subsystem sftp /usr/local/lib/openssh/sftp-server


sorry for big post :-/

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 9612
Re: can't make openldap auth working purecore64 7.2
« Reply #1 on: January 03, 2017, 12:40:42 AM »
Neither our busybox or ssh builds support PAM, as it would just be wasted size for most users. You'll likely need custom builds of those, and perhaps other packages to be able to log in via ldap.
The only barriers that can stop you are the ones you create yourself.

Offline |eric|

  • WikiUser
  • *
  • Posts: 4
Re: can't make openldap auth working purecore64 7.2
« Reply #2 on: January 03, 2017, 12:49:29 AM »
exactly what i was afraid of :-/

darn ... gona have to make my own distro ... gona call it bloated core :P
looks like tiny core is "almost" perfect for minimalistic servers ... its odd that there is a pam tcz tought i would have tought that installing bash and coreutils and binutils would do the trick but aparently not either :-(

Offline hiro

  • Hero Member
  • *****
  • Posts: 1073
Re: can't make openldap auth working purecore64 7.2
« Reply #3 on: January 03, 2017, 01:41:48 AM »
you misunderstand: you don't need to make your own distribution to allow this.
you can just make suited packages and submit them as an addition to the already existing packages.
e.g. openssh-pam.tcz
this way the user can choose if he wants it.