Fedora LDAP authentication failure

Greg Dotts member at dottsfamily.com
Thu Nov 11 01:08:32 UTC 2004 

Problem solved!  Thanks to all for the advice, suggestions, and links.

The solution, as usual, was very simple.  Although, I have to express my
disappointment that neither of the following points was ever stated in the
dozens of documents I've recently referenced in my search for a solution.

First -  There are two 'ldap.conf' files located on my server.  I don't know
if this is true for all *nix servers.  The first of which is installed by
OpenLDAP at '/etc/openldap/ldap.conf' and the other installed by PAM at
'/etc/ldap.conf'.  I was unaware of the existence of the PAM
'/etc/ldap.conf' file, which was part of the problem.  It is well documented
and requires modification to work correctly.  I spend many hours messing
around with /etc/openldap/ldap.conf' which in the end was fine with the
basic entries of HOST, BASE, and BINDDN.

Second - There needs to exist '/etc/ldap.secret' containing the password to
bind with the LDAP server which is used by ldap clients.  This file did not
exist on my server until a few minutes ago after I created it.

Following the modification of '/etc/ldap.conf' and the creation of the
'/etc/ldap.secret' file and finally restarting my ldap service all works as
it should.

My thanks to Magnus and his forwarding of a very helpful link to ->
http://web.singnet.com.sg/~garyttt/ which outlines the steps stated above.

Greg Dotts




-----Original Message-----
From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] On
Behalf Of Jed Donnelley
Sent: Wednesday, November 10, 2004 5:50 PM
To: Pluggable Authentication Modules
Subject: Re: Fedora LDAP authentication failure


At 02:21 PM 11/10/2004, Greg Dotts wrote:
>Greetings Guru's,
>
>I'm at my wits end attempting to configure LDAP authentication on my Fedora
>2 server.  I'm not new to Linux, but am new to directory management.
>Running debugs on slapd returns positive information when GQ is used to
>browse/change the directory, but when I attempt to login via console with
>any user other than root results in no contact with the LDAP server.  Root
>authenticates OK, but not via LDAP.
>
>Synopsis:
>
>OS=Fedora Core 2, fully updated via APT/Synaptic.
>Running current updates of openldap et al, nss_ldap, pam, and openssl.
>
>My LDAP server is working and searchable/writable locally using either GQ
or
>standard openldap tools.  I have used the tools 'authconfig' and
>'system-config-authentication' to enable LDAP authentication and manually
>modified 'nsswitch.conf', and '/etc/pam.d/login and
/etc/pam.d/system-auth'.
>
>It appears that PAM is not contacting the LDAP server for authentication.
>Does anyone have a suggestion as to why this may be?  I know this is a very
>open question, but I've struggled with this for about a week and spent
>several days searching the internet for answers.  I have followed many
>HOW-TO's and rebuilt my LDAP directory about a dozen times.  It appears the
>LDAP server is working fine, but no requests are being made from login to
>the LDAP server.
>
>Best regards to all,
>Greg

You should be able to verify whether or not your system is contacting the
LDAP server by looking at the LDAP logs on the server.  If there is no
contact then my guess is something in /etc/ldap.conf.  I don't know about
the tools you mentioned above as my configurations have been manual.

Here are a few lines to look for in your ldap.conf:

host ldap128.nersc.gov ldap2.nersc.gov ldap.nersc.gov <your names here of 
course>
(if you have this and the ssl stuff working and you have
network connectivity - no firewall blockages - then you
should at least see stuff showing up in the LDAP logs)

base ou=people,o=ldapsvc,dc=nersc,dc=gov
(which of course depends on your schema, which could
be an issue if all your automated stuff isn't working for you)

scope sub

pam_groupdn ou=PosixGroup,o=ldapsvc,dc=nersc,dc=gov
(ditto)

pam_member_attrubute memberUid
(ditto)

pam_password md5
(for us - your mileage may vary)

nss_base_shadow         ou=People,o=ldapsvc,dc=nersc,dc=gov
nss_base_group          ou=PosixGroup,o=ldapsvc,dc=nersc,dc=gov
(brings up the whole nsswitch business.  You should know that
nsswitch can essentially make the ldap content appear as if
it is in /etc/passwd /etc/group /etc/shadow - thereby working
very differently from PAM which authenticates - only, no
groups - separately through the various applications)

ssl start_tls
ssl on
(your mileage may vary)

Good luck!

--Jed http://www.nersc.gov/~jed/ 

_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

More information about the Pam-list mailing list