Cant authenticate to LDAP domain with Redhat9

Faehl, Chris cfaehl at rightnow.com
Wed Jul 7 14:36:31 UTC 2004


Steve,

Yeah, having the file reference system_auth's a cleaner way of doing
this. Ignore that message where I said you've gotta modify every one. I
did have some problem when trying to do this using stack. 

--
Chris Faehl
Hosting Manager, RightNow Technologies

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Rigler, Steve
Sent: Wednesday, July 07, 2004 5:55 AM
To: General Red Hat Linux discussion list
Subject: RE: Cant authenticate to LDAP domain with Redhat9


Copying over /etc/pam.d/sshd is bad advice and I wouldn't recommend it.
Your individual /etc/pam.d/* files should be set up to reference 
system-auth so that you won't have to go in and edit each one 
individually.  This is why RedHat provides authconfig so that you
can run one command which will change one file and everything else
will know to reference it.

Try adding "debug" as the first argument after each pam_ldap.so in your 
system-auth and watch your messages file when you try to log in.

What does "getent passwd" and "getent shadow" tell you on the machines
that work?

-Steve

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of shaughto at ee.ucr.edu
Sent: Tuesday, July 06, 2004 10:47 PM
To: General Red Hat Linux discussion list
Subject: RE: Cant authenticate to LDAP domain with Redhat9

Hi,

Sorry for the late reply... Had two hard drives fail on the two
different
servers over the weekend. =(

Well, I copied the pam.d/system-auth and I can log on as root, but not
as
any users.  So I still have the same problem.
Here is my system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
session     optional      /lib/security/$ISA/pam_ldap.so


And my nsswitch.conf has no references to shadow.
Here is my etc/nsswitch.conf:

#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
transports.

# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd:         files ldap
group:          files ldap


# consult DNS first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts:          files dns

# LDAP is nominally authoritative for the following maps.
services:   files
networks:   files
protocols:  files
rpc:        files
ethers:     files

# no support for netmasks, bootparams, publickey yet.
netmasks:   files
bootparams: files
publickey:  files
automount:  files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases:    files
sendmailvars:   files

# No one has written the LDAP support for netgroups yet, so we'll
# have to stick with NIS.
netgroup:   ldap


Any ideas.  Thanks.

--
Steven


> Your ldapsearch and getent look fine.  Do you have anything for
> shadow in your nsswitch.conf?
>
> For the pam stuff, start by looking at your system-auth file.
> This is how it looks on a RH9 box as configured by authconfig:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so
use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
>
> account     required      /lib/security/$ISA/pam_unix.so
> account     [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
>
> password    required      /lib/security/$ISA/pam_cracklib.so retry=3
> type=
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5
> shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
>
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_ldap.so
>
> -Steve
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Steven D.
Haughton
> Sent: Friday, July 02, 2004 11:01 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Cant authenticate to LDAP domain with Redhat9
>
> Hi,
> Thanks for the clarification.  Those authconfig files were bothering
me.
> Ok, I did an ldapsearch and getent and they work fine (from what I can
> tell).
>
> Output:
>
> [root at blochee /]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm
> version: 2
>
> #
> # filter: uid=grad-adm
> # requesting: ALL
> #
>
> # grad-adm, People, ee, ucr, edu
> dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
> uid: grad-adm
> cn: Graduate Affairs
> sn: Affairs
> mail: grad-adm at ee.ucr.edu
> labeledURI: http://www.ee.ucr.edu/~grad-adm
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> loginShell: /bin/bash
> uidNumber: 30501
> gidNumber: 402
> homeDirectory: /home/eemisc/grad-adm
> gecos: Graduate Affairs
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root at blochee /]# getent passwd grad-adm
> grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
>
> Should I test ldapsearch with  some different commands?
> Also I tried logging in on virtual consoles with no luck (only root
> works). = (
> You said that if ldapsearch and getent work then I should focus on
> pam....
> how would I go about testing pam?
>
> Thanks again for all your help.
>
> --
> Steven
>
>
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list




-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list





More information about the redhat-list mailing list