Authentication problems with ldap

Lynn York lyork at inetu.net
Mon Sep 22 12:41:44 UTC 2008 

Below are my config files:

/etc/pam.d/system-auth
#%PAM-1.0
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
-----------------------------------------------------------
/etc/ldap.conf 
# Host to connect to
host 10.100.223.63
#port 389
port 636

debug 0
logdir /var/log/pam_ldap

base dc=ldaptest,dc=local
ldap_version 3

#binddn bind at ldaptest.local

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw testing
scope sub

timelimit 6 
bind_timelimit 3

idle_timeout 90


#
# nss_ldap configuration parameter
bind_policy soft

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass posixGroup group
#nss_map_objectclass account user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute userPassword unixUserPassword
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_attribute uniqueMember member
#nss_map_attribute gecos cn

pam_login_attribute uid
pam_lookup_policy yes

# Access controls via ldap
#
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login. 
#pam_check_host_attr no

#pam_check_service_attr no

#pam_min_uid 1000

# Do not hash the password at all, assume the directory is doing this
pam_password ad

# nss_ldap configurations
nss_base_passwd         cn=users,dc=ldaptest,dc=local?sub
nss_base_shadow
cn=users,dc=ldaptest,dc=local?sub?&(objectCategory=users)(uidnumber=*)
nss_base_group
cn=groups,dc=ldaptest,dc=local?sub?&(objectCategory=group)(gidnumber=*)
#ssl no
# openldap SSL bits
ssl start_tls
tls_cacertfile /etc/openldap/certs/cert.crt
tls_ciphers HIGH
----------------------------------------------------------------------------
--------

SLAPD config:

include         /usr/local/openldap/etc/openldap/schema/core.schema
include         /usr/local/openldap/etc/openldap/schema/cosine.schema
include         /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include         /usr/local/openldap/etc/openldap/schema/nis.schema


loglevel 1 2 4 8 16 32 128 256 16384
password-hash   {CRYPT}

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

TLSCipherSuite HIGH:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/openldap/etc/openldap/certs/cert.crt
TLSCertificateFile /usr/local/openldap/etc/openldap/certs/cert.crt
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/certs/cert.key
security ssf=1 update_ssf=128 simple_bind=128 update_tls=128 tls=128

database                bdb

suffix                  "dc=ldaptest,dc=local"
rootdn                  "cn=manager,dc=ldaptest,dc=local"
rootpw                  {SSHA}uxhIdkPFWVYdBMaHg8m0O+5Y7cchdxnG

chase-referrals         no
rebind-as-user          yes
directory               "/usr/local/openldap/var/openldap-data"

overlay rwm
rwm-map objectclass  user       posixAccount
rwm-map attribute    sAMAccountname     uid
rwm-map attribute    givenName          cn
rwm-map attribute    unixHomeDirectory  homeDirectory
rwm-map attribute    unixUserPassword   UserPassword

access to attrs=userPassword
        by dn="cn=Bind User,cn=Users,dc=ldaptest,dc=local"
        by self read
        by * auth

access to * by * read

syncrepl rid=1
         provider="ldaps://ldaptest.local:636"
         type=refreshAndPersistant
         interval="00:00:15:00"
         retry="60 3 300 10"
         searchbase="cn=Users,dc=ldaptest,dc=local"
         filter="(&(objectClass=user)(samaccountname=*))"
         scope="sub"
         schemachecking="off"
         bindmethod="simple"
         binddn="cn=Bind User,cn=Users,dc=ldaptest,dc=local"
         credentials="testing"



Thanks,

Lynn
-----Original Message-----
From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] On
Behalf Of Kenneth Geisshirt
Sent: Saturday, September 20, 2008 4:19 AM
To: Pluggable Authentication Modules
Subject: Re: Authentication problems with ldap

Lynn York wrote:
>    I am having some issue with PAM and authentication with an openldap
proxy
> to AD.  

Please send your configuration files. Otherwise it is a bit hard to help
you.

/kneth

_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3442 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080922/9a849345/attachment.bin>

More information about the Pam-list mailing list