Cant authenticate to LDAP domain with Redhat9

Steven D. Haughton shaughto at ee.ucr.edu
Fri Jul 2 16:00:31 UTC 2004 

Hi,
Thanks for the clarification.  Those authconfig files were bothering me.
Ok, I did an ldapsearch and getent and they work fine (from what I can 
tell).

Output:

[root at blochee /]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm
version: 2

#
# filter: uid=grad-adm
# requesting: ALL
#

# grad-adm, People, ee, ucr, edu
dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
uid: grad-adm
cn: Graduate Affairs
sn: Affairs
mail: grad-adm at ee.ucr.edu
labeledURI: http://www.ee.ucr.edu/~grad-adm
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 30501
gidNumber: 402
homeDirectory: /home/eemisc/grad-adm
gecos: Graduate Affairs

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root at blochee /]# getent passwd grad-adm
grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash

Should I test ldapsearch with  some different commands?
Also I tried logging in on virtual consoles with no luck (only root 
works). = (
You said that if ldapsearch and getent work then I should focus on pam....
how would I go about testing pam?

Thanks again for all your help.

--
Steven



Rigler, Steve wrote:

>To clarify the purposes of some of the files:
>
>/etc/ldap.conf is used by pam_nss so that pam/nss knows where to
>go to authenticate and/or look up/map user/group information.
>It should be a long, heavily commented file.
>
>/etc/openldap/ldap.conf is used by the openldap client utilities
>and probably anything linked against the openldap libraries
>(eg. the autofs lookup_ldap.so library).  It will probably only
>have a few lines (HOST, BASE, TLS_CACERT, etc).
>
>Those two files are *not* interchangeable.  Due to confusion between 
>the two, some distributions have resorted to renaming the file 
>used by pam (eg. pam_ldap.conf).
>
>I wouldn't be as concerned about the information in your 
>/etc/sysconfig/authconfig.  AFAIK, it is more used by the authconfig
>utility to populate itself than for any authentication purposes.
>
>You can edit /etc/pam.d/system-auth manually, but be aware that it
>will get overwritten by authconfig should you decide to run it and
>change something that way.
>
>Also, there was a brief thread on the openldap-software list about
>login with local accounts not working when the ldap server is
>unavailably.
>Check here for the fix (I don't remember in which version of RedHat this
>was fixed):
>http://www.netsys.com/openldap-software/2003/02/msg00202.html
>(I wouldn't post any questions to the openldap-software list that
>aren't specific to openldap...that means no pam, autofs, etc).
>
>I'd check the low-level things on your problem machine first.  Make
>sure you can reach your ldap server with ldapsearch, make sure getent
>works and then start hitting the pam stuff.  Check via other login
>means besides ssh also (try from a virtual console).
>
>-Steve
>
>-----Original Message-----
>From: redhat-list-bounces at redhat.com
>[mailto:redhat-list-bounces at redhat.com] On Behalf Of shaughto
>Sent: Thursday, July 01, 2004 11:07 PM
>To: General Red Hat Linux discussion list
>Subject: Re: Cant authenticate to LDAP domain with Redhat9
>
>Ok, here is so more info, but some background first.
>
> A few weeks ago some researchers in my department took it upon
>themselves
>to install Redhat 9 over Gentoo.  Well then they asked me to set it up
>onto
>the domain.  Needless to say my boss was a bit upset that they did this,
>but
>on with the story.  Well I managed to get one server to authenticate
>fairly
>easy.  I copied the /etc/ldap.conf, /etc/nsswitch,
>/etc/pam.d/system-auth,
>/etc/ssl/certs/eeca.pem, and /etc/autofs/auto.master.  However it did
>not
>work, but once I copied /etc/ldap.conf to /etc/openldap/ldap.conf it
>worked!!!!!
>The second computer was not so easy, no matter what I did it would not
>authenticate to the ldap domain.  Well I worked on it for two days with
>no
>success, and then the next morning it was working.  WTF is all could
>think,
>but at least it worked (wish I knew what happen though).  I really
>didn't
>modify any extra files on that machine except that I modified the
>slapd.conf
>and got openldap running, which should have nothing to with the client
>authentication (please correct me if I am wrong).  Well I was poking in
>all
>of the system files so maybe I did modify one... if only I could
>remember.
>
>So now to my point about /etc/sysconfig/authconfig.  On these two
>computers
>with redhat9, the authconfig is different on both and they both
>authenticate!!! BTW I never ran authconfig or authconfig-gtk on these
>machines.
>
>Computer 1 authconfig:
>USEHESIOD=no
>USELDAP=yes
>USENIS=no
>USEKERBEROS=no
>USELDAPAUTH=yes
>USEMD5=yes
>USESHADOW=yes
>USESMBAUTH=no
>
>Computer 2 authconfig:
>USEDB=no
>USEHESIOD=no
>USELDAP=no
>USENIS=no
>USEKERBEROS=no
>USELDAPAUTH=no
>USEMD5=yes
>USESHADOW=yes
>USESMBAUTH=no
>
>As you can see the authconfig differs in the computers in the ldap
>sections.
>I have tried both variations on the my problematic computer (I'll call
>it
>Computer 3) with no luck.  This confuses me and I'm not sure what is
>going
>on with redhat and openldap.
>
>Can someone please shed some light onto this and rid me of my ignorance
>on
>the subject.
>Thanks for your time, and sorry for the long email.
>
>--
>Steven
>
>-- Original Message ----- 
>From: "shaughto" <shaughto at ee.ucr.edu>
>To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
>Sent: Thursday, July 01, 2004 6:23 PM
>Subject: Re: Cant authenticate to LDAP domain with Redhat9
>
>
>  
>
>>Thanks for the response...
>>
>>I have tried authconfig and authconfig-gtk, however they did not work.
>>    
>>
>In
>  
>
>>fact when I tried to log on after using those programs I could not log
>>    
>>
>in
>as
>  
>
>>root, nor any users.  I noticed that authconfig modified some of the
>>    
>>
>LDAP
>  
>
>>config files, I believe it was /etc/pam.d/system-auth.  I simply
>>    
>>
>copied
>back
>  
>
>>my original config files, which is /etc/ldap.conf, /etc/nsswitch.conf,
>>/etc/autofs/auto.master, /etc/ssl/certs/eeca.pem, and
>>/etc/pam.d/system-auth.
>>With those files back to my setting I can once log on as root.
>>
>>Hmm, what files does authconfig modify?  Maybe I can modify them by
>>    
>>
>hand
>  
>
>>(through vi).
>>
>>Thanks again for the response.
>>
>>----- Original Message ----- 
>>From: "Rigler, Steve" <SRigler at MarathonOil.com>
>>To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
>>Sent: Thursday, July 01, 2004 5:36 PM
>>Subject: RE: Cant authenticate to LDAP domain with Redhat9
>>
>>
>>Try running "authconfig" and set up your LDAP configuration
>>that way.
>>
>>-Steve
>>
>>
>>-----Original Message-----
>>From: redhat-list-bounces at redhat.com on behalf of Steven D. Haughton
>>Sent: Thu 7/1/2004 5:56 PM
>>To: redhat-list at redhat.com
>>Subject: Cant authenticate to LDAP domain with Redhat9
>>
>>Hi,
>>
>>
>>I'm new to ldap and fairly new to linux as well so bare with me.....
>>
>>
>>I've recently installed Red Hat 9 over Gentoo due to some commerical
>>software support. My problem is that I can not get Red Hat to
>>authenticate to the ldap domain.
>>Here is the current ldap software I have installed:
>>
>>[root at hostname root]# rpm -qa | grep ldap
>>openldap-2.0.27-8
>>openldap-clients-2.0.27-8
>>nss_ldap-202-5
>>openldap-devel-2.0.27-8
>>openldap-servers-2.0.27-8
>>php-ldap-4.2.2-17.2
>>
>>Here is current openssl:
>>[root at hostname root]# rpm -qa | grep openssl
>>openssl-0.9.7a-20.2
>>openssl-perl-0.9.7a-20.2
>>openssl096b-0.9.6b-15
>>openssl-devel-0.9.7a-20.2
>>openssl096-0.9.6-25.9
>>
>>I also have autofs installed and running.
>>I have copied the exact files for /etc/ldap.conf, /etc/nsswitch.conf,
>>/etc/pam.d/system_auth, and /etc/ssl/certs/eeca.pem, and
>>/etc/autofs/auto.master
>>which work on other linux computers (Mainly Gentoo.... and 2 redhat9
>>computers).
>>I also copied ldap.conf into /etc/openldap/ldap.conf and copied
>>/etc/autofs/auto.master to /etc/auto.master.
>>
>>So my config files must be correct if they work on other computers...
>>Leaving me to believe that there must be extra config files on Redhat
>>that I must setup.
>>I took out the hostname and domain names in the following test.
>>
>>Test:
>>[root@"hostname" root]# ssh -ltestuser "hostname"
>>testuser@"hostname's" password:
>>Permission denied, please try again.
>>
>>Log file:
>>sshd(pam_unix)[14275]: check pass; user unknown
>>sshd(pam_unix)[14275]: authentication failure; logname= uid=0 euid=0
>>tty=NODEVssh ruser= rhost="hostname"."**"."***".edu
>>sshd(pam_unix)[14275]: check pass; user unknown
>>sshd(pam_unix)[14275]: 1 more authentication failure; logname= uid=0
>>euid=0 tty=NODEVssh ruser= rhost="hostname"."**"."***".edu
>>
>>Any Ideas on how to resolve this issue? Thanks.
>>
>>Also here is some more info on the problem.
>>When I run ldapsearch i get this...
>>
>>[root at blochEE root]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu"
>>    
>>
>uid=grad-adm
>  
>
>>version: 2
>>
>>#
>># filter: uid=grad-adm
>># requesting: ALL
>>#
>>
>># grad-adm, People, ee, ucr, edu
>>dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
>>uid: grad-adm
>>cn: Graduate Affairs
>>sn: Affairs
>>mail: grad-adm at ee.ucr.edu <mailto:grad-adm at ee.ucr.edu>
>>labeledURI: http://www.ee.ucr.edu/~grad-adm
>><http://www.ee.ucr.edu/%7Egrad-adm>
>>objectClass: inetOrgPerson
>>objectClass: posixAccount
>>objectClass: top
>>objectClass: shadowAccount
>>loginShell: /bin/bash
>>uidNumber: 30501
>>gidNumber: 402
>>homeDirectory: /home/eemisc/grad-adm
>>gecos: Graduate Affairs
>>
>># search result
>>search: 2
>>result: 0 Success
>>
>># numResponses: 2
>># numEntries: 1
>>[root at blochEE root]#
>>
>>
>>And when I get this running getent:
>>[root at blochEE root]# getent passwd grad-adm
>>grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
>>[root at blochEE root]#
>>
>> From my understandings it looks like the client can communicate ok
>>    
>>
>with
>  
>
>>the server, so I am at a loss as to why I can not login using users on
>>the ldap server?
>>
>>
>>If you need any more info. please let me know and I'll be happy to
>>provide it.
>>Any responses will be most appreciated.
>>Thank you.
>>
>>
>>-- 
>>redhat-list mailing list
>>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>https://www.redhat.com/mailman/listinfo/redhat-list
>>
>>
>>
>>
>>-- 
>>redhat-list mailing list
>>unsubscribe mailto:redhat-list-request at redhat.com?subject=subscribe
>>https://www.redhat.com/mailman/listinfo/redhat-list
>>
>>
>>
>>-- 
>>redhat-list mailing list
>>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>https://www.redhat.com/mailman/listinfo/redhat-list
>>
>>
>>    
>>
>
>
>  
>

More information about the redhat-list mailing list