[Fedora-directory-users] PAM authentication
Richard Megginson
rmeggins at redhat.com
Wed Jun 8 14:23:52 UTC 2005
Thomas Mathiesen wrote:
>WORKS!!! I am actually not using the libnssldap.conf file.. but the
>pam_ldap.conf file in /etc/ on ubuntu.
>
>
That's great! If it wouldn't be too much trouble, I would appreciate it
if you would tell us the steps you took and any gotchas you ran into.
Then I can update the HowTo:PAM on our wiki.
Thanks!
>There are two "ldap" conf files, and it seems to use only one.
>
>Thanks alot for guidance :)
>
>/T
>
>Nalin Dahyabhai (nalin at redhat.com) wrote:
>
>
>>On Tue, Jun 07, 2005 at 12:00:34PM +0000, Thomas Mathiesen wrote:
>>
>>
>>>So, here's what I continued doing:
>>>Added a user (using the webinterface).
>>>Added objectclass posixAccount to this user (using GQ)
>>>
>>>Turning to my desktop, running Ubuntu Hoary and Openldap, I set it up using
>>>this ldap config:
>>>host ldap.mydomain.com
>>>base dc=mydomain,dc=com
>>>ldap_version 3
>>>timelimit 30
>>>pam_filter objectclass=posixAccount
>>>pam_login_attribute uid
>>>ssl no
>>>#ssl start_tls
>>>#tls_checkpeer no
>>>pam_password ssha
>>>
>>>I've tried to use ssl (and tls_checkpeer no), and no ssl.... nothing works.
>>>
>>>In my log on the fedora directory server, I see the connection, and it first
>>>tries to find the posixAccount, and returns no error. Then it looks for
>>>shadowAccount, and returns no error (after I added that objectclass as well).
>>>
>>>The client worked fine, authenticating with my previous openldap server... and
>>>I can't see why I doesn't authenticate with my new fedora server.
>>>
>>>
>>Can you give us some more details to go on? Are you using pam_ldap to
>>check passwords, or are you just using nss_ldap in combination with
>>pam_unix? What do your system logs indicate when the user's attempt to
>>authenticate fails?
>>
>>If it's nss_ldap+pam_unix, can you read the userPassword attribute of
>>the user's posixAccount object when you bind to the directory
>>anonymously? For example, does this command give you any userPassword
>>values?
>> ldapsearch -x -h ldap.mydomain.com -b dc=mydomain,dc=com
>> uid=username userPassword
>>
>>My guess here is that you have an ACI on dc=mydomain,dc=com which allows
>>read access to any attribute except "userPassword" for anonymous users,
>>and because nss_ldap is binding to the directory anonymously on
>>pam_unix's behalf to read the attribute, pam_unix can't check passwords.
>>
>>HTH,
>>
>>Nalin
>>
>>
>>
>>
>
>--
>LinProfs
>Phone: +31703521193 & +31652572454
>Web: www.linprofs.com & www.linprofs.nl
>Email: thomas at linprofs.com
>
>-
>"Microsoft is to operating systems & security ....
>.... what McDonalds is to gourmet cooking"
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050608/dd2657cd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050608/dd2657cd/attachment.bin>
More information about the Fedora-directory-users
mailing list