Authentication problems with ldap
Lynn York
lyork at inetu.net
Mon Sep 22 12:41:44 UTC 2008
Below are my config files:
/etc/pam.d/system-auth
#%PAM-1.0
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
-----------------------------------------------------------
/etc/ldap.conf
# Host to connect to
host 10.100.223.63
#port 389
port 636
debug 0
logdir /var/log/pam_ldap
base dc=ldaptest,dc=local
ldap_version 3
#binddn bind at ldaptest.local
# The credentials to bind with.
# Optional: default is no credential.
#bindpw testing
scope sub
timelimit 6
bind_timelimit 3
idle_timeout 90
#
# nss_ldap configuration parameter
bind_policy soft
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass posixGroup group
#nss_map_objectclass account user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute userPassword unixUserPassword
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_attribute uniqueMember member
#nss_map_attribute gecos cn
pam_login_attribute uid
pam_lookup_policy yes
# Access controls via ldap
#
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr no
#pam_check_service_attr no
#pam_min_uid 1000
# Do not hash the password at all, assume the directory is doing this
pam_password ad
# nss_ldap configurations
nss_base_passwd cn=users,dc=ldaptest,dc=local?sub
nss_base_shadow
cn=users,dc=ldaptest,dc=local?sub?&(objectCategory=users)(uidnumber=*)
nss_base_group
cn=groups,dc=ldaptest,dc=local?sub?&(objectCategory=group)(gidnumber=*)
#ssl no
# openldap SSL bits
ssl start_tls
tls_cacertfile /etc/openldap/certs/cert.crt
tls_ciphers HIGH
----------------------------------------------------------------------------
--------
SLAPD config:
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
loglevel 1 2 4 8 16 32 128 256 16384
password-hash {CRYPT}
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/openldap/etc/openldap/certs/cert.crt
TLSCertificateFile /usr/local/openldap/etc/openldap/certs/cert.crt
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/certs/cert.key
security ssf=1 update_ssf=128 simple_bind=128 update_tls=128 tls=128
database bdb
suffix "dc=ldaptest,dc=local"
rootdn "cn=manager,dc=ldaptest,dc=local"
rootpw {SSHA}uxhIdkPFWVYdBMaHg8m0O+5Y7cchdxnG
chase-referrals no
rebind-as-user yes
directory "/usr/local/openldap/var/openldap-data"
overlay rwm
rwm-map objectclass user posixAccount
rwm-map attribute sAMAccountname uid
rwm-map attribute givenName cn
rwm-map attribute unixHomeDirectory homeDirectory
rwm-map attribute unixUserPassword UserPassword
access to attrs=userPassword
by dn="cn=Bind User,cn=Users,dc=ldaptest,dc=local"
by self read
by * auth
access to * by * read
syncrepl rid=1
provider="ldaps://ldaptest.local:636"
type=refreshAndPersistant
interval="00:00:15:00"
retry="60 3 300 10"
searchbase="cn=Users,dc=ldaptest,dc=local"
filter="(&(objectClass=user)(samaccountname=*))"
scope="sub"
schemachecking="off"
bindmethod="simple"
binddn="cn=Bind User,cn=Users,dc=ldaptest,dc=local"
credentials="testing"
Thanks,
Lynn
-----Original Message-----
From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] On
Behalf Of Kenneth Geisshirt
Sent: Saturday, September 20, 2008 4:19 AM
To: Pluggable Authentication Modules
Subject: Re: Authentication problems with ldap
Lynn York wrote:
> I am having some issue with PAM and authentication with an openldap
proxy
> to AD.
Please send your configuration files. Otherwise it is a bit hard to help
you.
/kneth
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3442 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080922/9a849345/attachment.bin>
More information about the Pam-list
mailing list