Cant authenticate to LDAP domain with Redhat9
shaughto at ee.ucr.edu
shaughto at ee.ucr.edu
Wed Jul 7 03:47:18 UTC 2004
Hi,
Sorry for the late reply... Had two hard drives fail on the two different
servers over the weekend. =(
Well, I copied the pam.d/system-auth and I can log on as root, but not as
any users. So I still have the same problem.
Here is my system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
session optional /lib/security/$ISA/pam_ldap.so
And my nsswitch.conf has no references to shadow.
Here is my etc/nsswitch.conf:
#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd: files ldap
group: files ldap
# consult DNS first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts: files dns
# LDAP is nominally authoritative for the following maps.
services: files
networks: files
protocols: files
rpc: files
ethers: files
# no support for netmasks, bootparams, publickey yet.
netmasks: files
bootparams: files
publickey: files
automount: files
# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases: files
sendmailvars: files
# No one has written the LDAP support for netgroups yet, so we'll
# have to stick with NIS.
netgroup: ldap
Any ideas. Thanks.
--
Steven
> Your ldapsearch and getent look fine. Do you have anything for
> shadow in your nsswitch.conf?
>
> For the pam stuff, start by looking at your system-auth file.
> This is how it looks on a RH9 box as configured by authconfig:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so
> account [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
>
> password required /lib/security/$ISA/pam_cracklib.so retry=3
> type=
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5
> shadow
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_ldap.so
>
> -Steve
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Steven D. Haughton
> Sent: Friday, July 02, 2004 11:01 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Cant authenticate to LDAP domain with Redhat9
>
> Hi,
> Thanks for the clarification. Those authconfig files were bothering me.
> Ok, I did an ldapsearch and getent and they work fine (from what I can
> tell).
>
> Output:
>
> [root at blochee /]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm
> version: 2
>
> #
> # filter: uid=grad-adm
> # requesting: ALL
> #
>
> # grad-adm, People, ee, ucr, edu
> dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
> uid: grad-adm
> cn: Graduate Affairs
> sn: Affairs
> mail: grad-adm at ee.ucr.edu
> labeledURI: http://www.ee.ucr.edu/~grad-adm
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> loginShell: /bin/bash
> uidNumber: 30501
> gidNumber: 402
> homeDirectory: /home/eemisc/grad-adm
> gecos: Graduate Affairs
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root at blochee /]# getent passwd grad-adm
> grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
>
> Should I test ldapsearch with some different commands?
> Also I tried logging in on virtual consoles with no luck (only root
> works). = (
> You said that if ldapsearch and getent work then I should focus on
> pam....
> how would I go about testing pam?
>
> Thanks again for all your help.
>
> --
> Steven
>
>
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
More information about the redhat-list
mailing list