[Fedora-directory-users] Problem with solaris & FDS authentication
Tay, Gary
Gary_Tay at platts.com
Wed Aug 31 16:15:22 UTC 2005
==
well, I decided to turn off the nscd completely, while I'm testing.
==
GT: Pls run nscd, without it LDAP name service may not work, after running nscd, check if "id testdba" shows the expected result, you may add "debug" keyword to all lines in /etc/pam.conf to observe all possible /var/adm/messages for "sshd" processing.
GT: You also need to zero into FDS access and errors log files for useful clues, show us some of the access log details if possible.
===
I have them in the ldap.client.file but the default profile looks like this:
# default, profile, composers.foo.com
dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one
Am I missing anything? I don't have serviceSearchDescriptor but I think it should chain
ou=People+defaultSearchBase, right?
===
GT: Use Fedord Management Console to add the three SSDs into the "default" profile, just right click and edit its properties, add/edit attributes, the bindTimeLimit of 2 seconds is too low, you may want to up it to 10 seconds.
serviceSearchDescriptor: passwd: ou=People,dc=composers,dc=foo,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=composers,dc=foo,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=composers,dc=foo,dc=com?one
bindTimeLimit: 10
GT: Make sure on top of DNS, you have 149.85.70.17 and LDAP Server hostname in `hostname`.`domainname` format in /etc/hosts, there should be an "hosts: files dns" in /etc/nsswitch.conf, it should not be "hosts: ldap"
===
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
LDAP Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password:
And notice it's asking me for a separate ldap password. What's up with that?
===
GT: IIRC "Password:" is the prompting of pam_unix_xxxx.so.1 auth module
"LDAP Password:" is the prompting of pam_ldap.so.1 auth module, when first pass failed, 2nd pass continued.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 6006 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050901/9a1e9cff/attachment.bin>
More information about the Fedora-directory-users
mailing list