[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with LDAP client under Debian GNU v3 of Woody



Hi all,

I have installed and configured the client of ldap under a machine
with GNU  Devian 3.0 of Woody.
I can connect with server that is also Debian, uids and gid of my
ldap´s users
are well-know in the client because if I create a new file with
permission to an ldap ´s user, appear name corresponding to
number of uid and gid declared in the server, and during
authentication of users to try access to the system,
 appear the period of time  to expire passwords in the server but
can´t open console and after few seconds, it ask me another once
the authentication of user.
Logs don´t give me information because operation appair like a
success.
Think, ldap.conf, nsswith.conf and etc/pam.d/login are well
configured but I don´t sure if I have forgotten
configure or install others packages or others files, or perhaps, this
version give problems with ldap.
¿Could you help me please?
Packages installed are:
ldap-utils 2.0.23-3
libldap2 1.08-3
libpam-ldap 134-3
libpam-modules 0.72-35
libnss-ldap 184-1
nscd 2.2.5-3
libpam-cracklib 0.72-35

Options configured are:

-------ldap.conf-------

###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure to configure this file
#
# @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
host myhost

# The distinguished name of the search base.
base mybase

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.


# The credentials to bind with.
# Optional: default is no credential.


# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)


# The port.
# Optional: default is 389.
port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Group to enforce membership of


# Group member attribute
#pam_member_attribute uniquemember
pam_member_attribute memberuid
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password crypt

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password sha

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#pam_password nds

# For IBM SecureWay support, do:
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
pam_password clear
#pam_crypt local

--------nscd.conf -----------
#
# /etc/nscd.conf
#
# An example Name Service Cache config file.  This file is needed by
nscd.
#
# Legal entries are:
#
# logfile   <file>
# debug-level  <level>
# threads   <#threads to use>
# server-user             <user to run server as instead of root>
#  server-user is ignored if nscd is started with -S parameters
#
#       enable-cache  <service> <yes|no>
# positive-time-to-live <service> <time in seconds>
# negative-time-to-live   <service> <time in seconds>
#       suggested-size  <service> <prime number>
# check-files  <service> <yes|no>
#
# Currently supported cache names (services): passwd, group, hosts
#


# logfile   /var/log/nscd.log
# threads   6
# server-user  nobody
# debug-level  0

 enable-cache  passwd  yes
 positive-time-to-live passwd  600
 negative-time-to-live passwd  20
 suggested-size  passwd  211
 check-files  passwd  yes

 enable-cache  group  yes
 positive-time-to-live group  3600
 negative-time-to-live group  60
 suggested-size  group  211
        keep-hot-count  group           20
 check-files  group  yes

 #enable-cache  hosts  yes
 #positive-time-to-live hosts  3600
 #negative-time-to-live hosts  20
 #suggested-size  hosts  211
 #check-files  hosts  yes

----nsswitch.conf------------
#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
transports.

# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.

passwd:         files ldap
group:          files ldap
shadow:  files ldap

#passwd:         compat ldap
#group:          compat ldap

# consult DNS first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts:          files dns ldap

# LDAP is nominally authoritative for the following maps.
services:   files
networks:   files
protocols:  files
rpc:        files
ethers:     files

# no support for netmasks, bootparams, publickey yet.
netmasks:   files
bootparams: files
publickey:  files
automount:  files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases:    files
sendmailvars:   files

# No one has written the LDAP support for netgroups yet, so we'll
# have to stick with NIS.
netgroup:   files nis

-------------pam.conf --------------------
#ident $Id: pam.conf,v 1.3 1998/10/05 05:01:13 lukeh Exp $
#
# PAM configuration for LDAP is sufficient, otherwise UNIX
# mandatory authentication policy.
#

#
# Authentication management
#
login   auth sufficient /lib/security/pam_ldap.so.1
login   auth required   /lib/security/pam_unix.so.1 try_first_pass
login   auth required   /lib/security/pam_dial_auth.so.1

telnet  auth sufficient /lib/security/pam_ldap.so.1
telnet  auth required   /lib/security/pam_unix.so.1 try_first_pass

rlogin  auth sufficient /lib/security/pam_rhosts_auth.so.1
rlogin  auth sufficient /lib/security/pam_ldap.so.1
rlogin  auth required   /lib/security/pam_unix.so.1 try_first_pass

dtlogin auth sufficient /lib/security/pam_ldap.so.1
dtlogin auth required   /lib/security/pam_unix.so.1 try_first_pass

rsh     auth required   /lib/security/pam_rhosts_auth.so.1

other   auth sufficient /lib/security/pam_ldap.so.1
other   auth required   /lib/security/pam_unix.so.1 try_first_pass

#
# Account management
#
login   account required /lib/security/pam_ldap.so.1
login   account required /lib/security/pam_unix.so.1

dtlogin account required /lib/security/pam_ldap.so.1
dtlogin account required /lib/security/pam_unix.so.1

other   account required /lib/security/pam_ldap.so.1
other   account required /lib/security/pam_unix.so.1

#
# Session management, not implemented by pam_ldap
#
other   session required /lib/security/pam_unix.so.1

#
# Password management
#
#other  password required /lib/security/pam_unix.so.1
other   password required /lib/security/pam_ldap.so

-----------/etc/pam.d/login-----------------
#%PAM-1.0
auth       required /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient /lib/security/pam_ldap.so debug
auth       required /lib/security/pam_unix_auth.so try_first_pass debug
account    sufficient /lib/security/pam_ldap.so debug
account    required /lib/security/pam_unix_acct.so debug
password   required /lib/security/pam_cracklib.so
password   required /lib/security/pam_ldap.so debug
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required /lib/security/pam_unix_session.so debug
session    required     /lib/security/pam_pwdb.so debug
#session    optional     /lib/security/pam_console.so

-----------/etc/pam/passwd (I think it´s not necesarry )--------------
#%PAM-1.0
auth       sufficient /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so use_first_pass
account    sufficient /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required /lib/security/pam_cracklib.so retry=3
password   sufficient /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so try_first_pass

Thanks very much.

Tony