Cant authenticate to LDAP domain with Redhat9

shaughto at ee.ucr.edu shaughto at ee.ucr.edu
Wed Jul 7 03:47:18 UTC 2004 

Hi,

Sorry for the late reply... Had two hard drives fail on the two different
servers over the weekend. =(

Well, I copied the pam.d/system-auth and I can log on as root, but not as
any users.  So I still have the same problem.
Here is my system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
session     optional      /lib/security/$ISA/pam_ldap.so


And my nsswitch.conf has no references to shadow.
Here is my etc/nsswitch.conf:

#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd:         files ldap
group:          files ldap


# consult DNS first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts:          files dns

# LDAP is nominally authoritative for the following maps.
services:   files
networks:   files
protocols:  files
rpc:        files
ethers:     files

# no support for netmasks, bootparams, publickey yet.
netmasks:   files
bootparams: files
publickey:  files
automount:  files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases:    files
sendmailvars:   files

# No one has written the LDAP support for netgroups yet, so we'll
# have to stick with NIS.
netgroup:   ldap


Any ideas.  Thanks.

--
Steven


> Your ldapsearch and getent look fine.  Do you have anything for
> shadow in your nsswitch.conf?
>
> For the pam stuff, start by looking at your system-auth file.
> This is how it looks on a RH9 box as configured by authconfig:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
>
> account     required      /lib/security/$ISA/pam_unix.so
> account     [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
>
> password    required      /lib/security/$ISA/pam_cracklib.so retry=3
> type=
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5
> shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
>
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_ldap.so
>
> -Steve
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Steven D. Haughton
> Sent: Friday, July 02, 2004 11:01 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Cant authenticate to LDAP domain with Redhat9
>
> Hi,
> Thanks for the clarification.  Those authconfig files were bothering me.
> Ok, I did an ldapsearch and getent and they work fine (from what I can
> tell).
>
> Output:
>
> [root at blochee /]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm
> version: 2
>
> #
> # filter: uid=grad-adm
> # requesting: ALL
> #
>
> # grad-adm, People, ee, ucr, edu
> dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
> uid: grad-adm
> cn: Graduate Affairs
> sn: Affairs
> mail: grad-adm at ee.ucr.edu
> labeledURI: http://www.ee.ucr.edu/~grad-adm
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> loginShell: /bin/bash
> uidNumber: 30501
> gidNumber: 402
> homeDirectory: /home/eemisc/grad-adm
> gecos: Graduate Affairs
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root at blochee /]# getent passwd grad-adm
> grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
>
> Should I test ldapsearch with  some different commands?
> Also I tried logging in on virtual consoles with no luck (only root
> works). = (
> You said that if ldapsearch and getent work then I should focus on
> pam....
> how would I go about testing pam?
>
> Thanks again for all your help.
>
> --
> Steven
>
>
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>

More information about the redhat-list mailing list