[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PAM] Getting Better + LDAP + PAM



Yes!! Yes!
You are damn right, is important the order in which the module pam_ldap.so
is placed, must be before unix2.so in my case!

A great Thanks to you all!!
Now I can log in to via ssh using the user netwarrior, now I can use the LDAP database to
authenticate my users and get rid of the passwd.. goal achieved at LAST!

Thanks..




2006/10/12, Julien Soula <jsoula univ-lille2 fr >:
On Thu, Oct 12, 2006 at 04:20:43PM +0000, Net Warrior wrote:
> Hi guys
> Thank to the kindness of the list, I'm getting better results with this.
> Well.. this is what I've got right now.
>
> I configure NIS, so, getent passwd netwarrior returns
>
> netwarrior:x:1002:513:System User:/home/netwarrior:/bin/bash
> This is perfect, cuz netwarrior is in the LDAP database and not a local
> users, so this is an upgrade :)
>
> Now, what I'm trying to do is to connect from a windows machine, which is
> not part of the domain and from a freebsd host which is neither part of the
> domain and I'm getting this:
>
> This is not the entire log, but as I can see, it retrieving all the user
> info, gecos, pasword, login shell
>

>              [.../...]
> Oct 12 14:05:03 test-server slapd[3940]: => access_allowed: read access
> denied by auth(=xd)
> Oct 12 14:05:03 test-server slapd[3940]: send_search_entry: conn 3 access to
> attribute userPassword, value #0 not allowed
>              [.../...]

It seems you have the same pb I had.

Assume you have put "ldap" in /etc/nsswith.conf on entries "passwd"
and "shadow". So module "pam_unix2" think it can authentificate LDAP
user with a "getpwnam". But as you have restricted "userPassword" to
athentification only ("=xd") so "pam_unix2" can't read password and
fails with "auth_err".

So I withdrawed "ldap" in /etc/nsswith.conf to entry "shadow" and
"pam_unix2" fails but with a different error than "auth_err". My
"common-auth" is :

auth    [success=1 auth_err=bad default=ignore] pam_unix.so debug
auth    required                pam_ldap.so use_first_pass debug
auth    required                pam_access.so


> common-session
> session required pam_limits.so
> session required pam_unix2.so
> session sufficient pam_ldap.so

It's strange that the "sufficient" module is after the "required" one
because, for a LDAP user, "pam_unix2" is due to fail and so the module
fails whatever do the "pam_ldap".

a+,
--
Julien
        << Vous n'avez rien a dire... Parlons-en! >>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFLppYT298YQMzB14RAgVQAJ9C8webCwOhhLu+6Ydtcwi1uaa6fACaA1Lw
1dGTAUW3PqDt5Bh0aBJlNz4=
=YDns
-----END PGP SIGNATURE-----


_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]