[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problems with LDAP client under Debian GNU v3 of Woody
Hi all,
I have installed and configured the client of ldap under a machine
with GNU Devian 3.0 of Woody.
I can connect with server that is also Debian, uids and gid of my
ldap´s users
are well-know in the client because if I create a new file with
permission to an ldap ´s user, appear name corresponding to
number of uid and gid declared in the server, and during
authentication of users to try access to the system,
appear the period of time to expire passwords in the server but
can´t open console and after few seconds, it ask me another once
the authentication of user.
Logs don´t give me information because operation appair like a
success.
Think, ldap.conf, nsswith.conf and etc/pam.d/login are well
configured but I don´t sure if I have forgotten
configure or install others packages or others files, or perhaps, this
version give problems with ldap.
¿Could you help me please?
Packages installed are:
ldap-utils 2.0.23-3
libldap2 1.08-3
libpam-ldap 134-3
libpam-modules 0.72-35
libnss-ldap 184-1
nscd 2.2.5-3
libpam-cracklib 0.72-35
Options configured are:
-------ldap.conf-------
###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure to configure this file
#
# @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
host myhost
# The distinguished name of the search base.
base mybase
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# The credentials to bind with.
# Optional: default is no credential.
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
# The port.
# Optional: default is 389.
port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Group to enforce membership of
# Group member attribute
#pam_member_attribute uniquemember
pam_member_attribute memberuid
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password crypt
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password sha
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#pam_password nds
# For IBM SecureWay support, do:
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
pam_password clear
#pam_crypt local
--------nscd.conf -----------
#
# /etc/nscd.conf
#
# An example Name Service Cache config file. This file is needed by
nscd.
#
# Legal entries are:
#
# logfile <file>
# debug-level <level>
# threads <#threads to use>
# server-user <user to run server as instead of root>
# server-user is ignored if nscd is started with -S parameters
#
# enable-cache <service> <yes|no>
# positive-time-to-live <service> <time in seconds>
# negative-time-to-live <service> <time in seconds>
# suggested-size <service> <prime number>
# check-files <service> <yes|no>
#
# Currently supported cache names (services): passwd, group, hosts
#
# logfile /var/log/nscd.log
# threads 6
# server-user nobody
# debug-level 0
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
keep-hot-count group 20
check-files group yes
#enable-cache hosts yes
#positive-time-to-live hosts 3600
#negative-time-to-live hosts 20
#suggested-size hosts 211
#check-files hosts yes
----nsswitch.conf------------
#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
transports.
# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd: files ldap
group: files ldap
shadow: files ldap
#passwd: compat ldap
#group: compat ldap
# consult DNS first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts: files dns ldap
# LDAP is nominally authoritative for the following maps.
services: files
networks: files
protocols: files
rpc: files
ethers: files
# no support for netmasks, bootparams, publickey yet.
netmasks: files
bootparams: files
publickey: files
automount: files
# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases: files
sendmailvars: files
# No one has written the LDAP support for netgroups yet, so we'll
# have to stick with NIS.
netgroup: files nis
-------------pam.conf --------------------
#ident $Id: pam.conf,v 1.3 1998/10/05 05:01:13 lukeh Exp $
#
# PAM configuration for LDAP is sufficient, otherwise UNIX
# mandatory authentication policy.
#
#
# Authentication management
#
login auth sufficient /lib/security/pam_ldap.so.1
login auth required /lib/security/pam_unix.so.1 try_first_pass
login auth required /lib/security/pam_dial_auth.so.1
telnet auth sufficient /lib/security/pam_ldap.so.1
telnet auth required /lib/security/pam_unix.so.1 try_first_pass
rlogin auth sufficient /lib/security/pam_rhosts_auth.so.1
rlogin auth sufficient /lib/security/pam_ldap.so.1
rlogin auth required /lib/security/pam_unix.so.1 try_first_pass
dtlogin auth sufficient /lib/security/pam_ldap.so.1
dtlogin auth required /lib/security/pam_unix.so.1 try_first_pass
rsh auth required /lib/security/pam_rhosts_auth.so.1
other auth sufficient /lib/security/pam_ldap.so.1
other auth required /lib/security/pam_unix.so.1 try_first_pass
#
# Account management
#
login account required /lib/security/pam_ldap.so.1
login account required /lib/security/pam_unix.so.1
dtlogin account required /lib/security/pam_ldap.so.1
dtlogin account required /lib/security/pam_unix.so.1
other account required /lib/security/pam_ldap.so.1
other account required /lib/security/pam_unix.so.1
#
# Session management, not implemented by pam_ldap
#
other session required /lib/security/pam_unix.so.1
#
# Password management
#
#other password required /lib/security/pam_unix.so.1
other password required /lib/security/pam_ldap.so
-----------/etc/pam.d/login-----------------
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so debug
auth required /lib/security/pam_unix_auth.so try_first_pass debug
account sufficient /lib/security/pam_ldap.so debug
account required /lib/security/pam_unix_acct.so debug
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so debug
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so debug
session required /lib/security/pam_pwdb.so debug
#session optional /lib/security/pam_console.so
-----------/etc/pam/passwd (I think it´s not necesarry )--------------
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so try_first_pass
Thanks very much.
Tony