[tac_plus] tac_plus with pam-ldap to AD implementation

Aaron Wasserott aaron.wasserott at viawest.com
Mon Mar 17 19:25:29 UTC 2014 

Here are the 3 PAM/LDAP files we have running if they help. I am not sure how the 3rd one is getting linked into the mix, but to get LDAPS working we had to put it in place. This is on a CentOS 6.5 box, and users authenticate against ActiveDirectory.

### /etc/pam.d/tac_plus
#%PAM-1.0
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so config=/etc/ldap_tacacs.conf use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so


### /etc/ldap_tacacs.conf
URI ldaps:// [ server name ]

base OU=[ OU name ],dc=[ domain name ],dc=[ domain name suffix ]
binddn [ binding DN ]
bindpw [ binding password ]

pam_login_attribute sAMAccountName
ssl yes
timelimit 120
bind_timelimit 120
idle_timelimit 3600
tls_cacert /etc/openldap/certs/[ cert file ]
TLS_REQCERT never


### /etc/openldap/ldap.conf
URI ldaps:// [ server name ]

base OU=[ OU name ],dc=[ domain name ],dc=[ domain name suffix ]
binddn [ binding DN ]
bindpw [ binding password ]

pam_login_attribute sAMAccountName
ssl yes
timelimit 120
bind_timelimit 120
idle_timelimit 3600
tls_cacert /etc/openldap/certs/[ cert file ]


-----Original Message-----
From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Linda Slater
Sent: Monday, March 17, 2014 12:59 PM
To: tac_plus at shrubbery.net
Subject: [tac_plus] tac_plus with pam-ldap to AD implementation

Hi 

I have read and tried many of the information listed in the many postings but I am still having an issue. 

I am running on ubuntu 12.04lts.   I want my users to log into the Cisco 
router devices using their AD credentials  The server that TACplus is running on has been joined to the AD test domain.  I have also confirmed 
that I can bind to the remote LDAP server.    Note I have also tested this 
with krb5 _kerboros) and that also works.

My tacacs.conf file for my tacplus user pointing to PAM  login = PAM. When my test user tries to login to the Cisco router , the username and password that is accepted happens to be the username and password that is in the /etc/passwd file on the ubuntu server rather than the AD username 
and password?   How do I get PAM to communicate with the remote LDAP 
server?    Note I have configured my ldap files per the posting by Adam.

I get the following error message 

pam_ldap: reconnecting to LDAP server...
 pam_ldap: reconnecting to LDAP server (sleeping 1 seconds)...

note: AD and LDAP server are functioning and respond when I use the ldapsearch command. kerberos , kinit,klist ,etc.

Regards
Lin

More information about the tac_plus mailing list