[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid credentials

To: Stephan Siano <stephan.siano@suse.de>
Subject: Re: Invalid credentials
From: Adam Denenberg <adam@dberg.org>
Date: Fri, 14 Nov 2003 11:25:35 -0500
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3FB4FD53.8080908@suse.de>
References: <1068759645.615.42.camel@localhost.localdomain> <3FB4880C.7060009@suse.de> <1068817948.11902.3.camel@localhost.localdomain> <3FB4FD53.8080908@suse.de>

ok i think i see what you are saying. I didnt think pam_ldap needed to
support SASL. I thought pam_ldap <-> openldap communicate via anonymous
bind  and then openldap would hand off to SASL on its own to
authenticate.

So as far as the sshd file in /etc/pam.d, auth and password would be
pam_radius, and account would be pam_ldap right ?  that would keep all
account information in the LDAP directory (uid, homedir and shell),
however direct authentication towards the radius server. I have nss_ldap
working ( i can finger, and id a user with results) and i can auth
successfully using pam_radius_auth, so i guess its just a matter of the
right pam.d file at this point.  Any pointers there?

thanks again 
adam

On Fri, 2003-11-14 at 11:05, Stephan Siano wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Adam Denenberg schrieb:
> | Thanks for the response.  That makes a little more sense now.  But isnt
> | it possible to have pam_ldap attempt to authenticate the same way the
> | ldap search does (forcing sasl external auth).
> |
> | Basically I am replacing NIS with an ldap directory so all account info,
> | uids, gids are stored in LDAP, however the authentication is made by
> | (LDAP->SASL->PAM->RADIUS) which worked in my first case.  Is there a way
> | to have pam_ldap behave the same way?  Is there someway to forcefully
> | allow anonymous binds for pam_ldap to allow this to happen? i have the
> | following ACL in my slapd.conf
> 
> Well, actually your stack would be PAM->LDAP->SASL->PAM->RADIUS, however
> this isn't possible, because pam_ldap doesn't implement this (it only
> implements simple binds, no SASL binds). I don't think this would make
> sense. Why don't you just use PAM->RADIUS directly? It is possible (and
> quite feasible) to combine nss_ldap (the modile to resolve uids and the
> like) with any other PAM module (like pam_radius or pam_krb5).
> 
> | access to attr=userPassword
> |         by self write
> |         by * auth
> |
>                access to *
> |         by * read
> 
> This ACL where sufficient for simple authentication if the password was
> stored in the userPassword attribute.
> 
> Yours
> Stephan Siano
> 
> - --
> - ----------------------------------------------------------------------
> Dr. Stephan Siano, Consultant
> SUSE LINUX AG, Mergenthalerallee 45-47, D-65760 Eschborn
> T: +49 (0) 6196 5095131
> F: +49 (0) 6196 409607    - stephan.siano@suse.com
> - ----------------------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE/tP1TyNxjFYe4G+cRAnOCAKCFRGHWdRQUI/sUN9Q8+EY3jo1XTgCfcnsp
> V4t/+zRd007/eVqNPHpqItg=
> =gO2+
> -----END PGP SIGNATURE-----
>

Follow-Ups:
- OpenLDAP, bdb and Linux filesystems
  - From: Stephan Siano <stephan.siano@suse.de>

References:
- Invalid credentials
  - From: Adam Denenberg <adam@dberg.org>
- Re: Invalid credentials
  - From: Stephan Siano <stephan.siano@suse.de>
- Re: Invalid credentials
  - From: Adam Denenberg <adam@dberg.org>
- Re: Invalid credentials
  - From: Stephan Siano <stephan.siano@suse.de>

Prev by Date: Re: Invalid credentials
Next by Date: Re: Log Files
Index(es):
- Chronological
- Thread