[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PAM] Getting Better + LDAP + PAM

On Thu, Oct 12, 2006 at 04:20:43PM +0000, Net Warrior wrote:
> Hi guys
> Thank to the kindness of the list, I'm getting better results with this.
> Well.. this is what I've got right now.
> I configure NIS, so, getent passwd netwarrior returns
> netwarrior:x:1002:513:System User:/home/netwarrior:/bin/bash
> This is perfect, cuz netwarrior is in the LDAP database and not a local
> users, so this is an upgrade :)
> Now, what I'm trying to do is to connect from a windows machine, which is
> not part of the domain and from a freebsd host which is neither part of the
> domain and I'm getting this:
> This is not the entire log, but as I can see, it retrieving all the user
> info, gecos, pasword, login shell

>              [.../...]
> Oct 12 14:05:03 test-server slapd[3940]: => access_allowed: read access
> denied by auth(=xd)
> Oct 12 14:05:03 test-server slapd[3940]: send_search_entry: conn 3 access to
> attribute userPassword, value #0 not allowed
>              [.../...]

It seems you have the same pb I had.

Assume you have put "ldap" in /etc/nsswith.conf on entries "passwd"
and "shadow". So module "pam_unix2" think it can authentificate LDAP
user with a "getpwnam". But as you have restricted "userPassword" to
athentification only ("=xd") so "pam_unix2" can't read password and
fails with "auth_err".

So I withdrawed "ldap" in /etc/nsswith.conf to entry "shadow" and
"pam_unix2" fails but with a different error than "auth_err". My
"common-auth" is :

auth    [success=1 auth_err=bad default=ignore] pam_unix.so debug
auth    required                pam_ldap.so use_first_pass debug
auth    required		pam_access.so

> common-session
> session required pam_limits.so
> session required pam_unix2.so
> session sufficient pam_ldap.so

It's strange that the "sufficient" module is after the "required" one
because, for a LDAP user, "pam_unix2" is due to fail and so the module
fails whatever do the "pam_ldap".

	<< Vous n'avez rien a dire... Parlons-en! >>

Attachment: signature.asc
Description: Digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]