[PAM] Getting Better + LDAP + PAM

Net Warrior netwarrior863 at gmail.com
Fri Oct 13 14:14:15 UTC 2006 

Yes!! Yes!
You are damn right, is important the order in which the module pam_ldap.so
is placed, must be before unix2.so in my case!

A great Thanks to you all!!
Now I can log in to via ssh using the user netwarrior, now I can use the
LDAP database to
authenticate my users and get rid of the passwd.. goal achieved at LAST!

Thanks..




2006/10/12, Julien Soula <jsoula at univ-lille2.fr>:
>
> On Thu, Oct 12, 2006 at 04:20:43PM +0000, Net Warrior wrote:
> > Hi guys
> > Thank to the kindness of the list, I'm getting better results with this.
> > Well.. this is what I've got right now.
> >
> > I configure NIS, so, getent passwd netwarrior returns
> >
> > netwarrior:x:1002:513:System User:/home/netwarrior:/bin/bash
> > This is perfect, cuz netwarrior is in the LDAP database and not a local
> > users, so this is an upgrade :)
> >
> > Now, what I'm trying to do is to connect from a windows machine, which
> is
> > not part of the domain and from a freebsd host which is neither part of
> the
> > domain and I'm getting this:
> >
> > This is not the entire log, but as I can see, it retrieving all the user
> > info, gecos, pasword, login shell
> >
>
> >              [.../...]
> > Oct 12 14:05:03 test-server slapd[3940]: => access_allowed: read access
> > denied by auth(=xd)
> > Oct 12 14:05:03 test-server slapd[3940]: send_search_entry: conn 3
> access to
> > attribute userPassword, value #0 not allowed
> >              [.../...]
>
> It seems you have the same pb I had.
>
> Assume you have put "ldap" in /etc/nsswith.conf on entries "passwd"
> and "shadow". So module "pam_unix2" think it can authentificate LDAP
> user with a "getpwnam". But as you have restricted "userPassword" to
> athentification only ("=xd") so "pam_unix2" can't read password and
> fails with "auth_err".
>
> So I withdrawed "ldap" in /etc/nsswith.conf to entry "shadow" and
> "pam_unix2" fails but with a different error than "auth_err". My
> "common-auth" is :
>
> auth    [success=1 auth_err=bad default=ignore] pam_unix.so debug
> auth    required                pam_ldap.so use_first_pass debug
> auth    required                pam_access.so
>
>
> > common-session
> > session required pam_limits.so
> > session required pam_unix2.so
> > session sufficient pam_ldap.so
>
> It's strange that the "sufficient" module is after the "required" one
> because, for a LDAP user, "pam_unix2" is due to fail and so the module
> fails whatever do the "pam_ldap".
>
> a+,
> --
> Julien
>         << Vous n'avez rien a dire... Parlons-en! >>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFFLppYT298YQMzB14RAgVQAJ9C8webCwOhhLu+6Ydtcwi1uaa6fACaA1Lw
> 1dGTAUW3PqDt5Bh0aBJlNz4=
> =YDns
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20061013/3670bdb6/attachment.htm>

More information about the Pam-list mailing list