[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem authenticating using pam

To: jeremy@xxedgexx.com
Subject: Re: problem authenticating using pam
From: Gerrit Thomson <334647@swin.edu.au>
Date: Fri, 28 May 1999 10:15:32 +1000
Cc: openldap-general@OpenLDAP.org
References: <Pine.LNX.4.05.9905271829490.25970-100000@srv1.ecropolis.com>

jeremy@xxedgexx.com wrote:

> Basically I'm using the ldapns stuff trying to get my machine to
> authenticate only via ldap.  Is this possible yet?  This is the error
> I get in messages:
>
> May 27 18:16:12 rep login: FAILED LOGIN 1 FROM srv1.ecropolis.com FOR
> jeremy, User not known to the underlying authentication module
> May 27 18:16:34 rep login: FAILED LOGIN SESSION FROM srv1.ecropolis.com
> FOR p, Error in service module
>
> I'm using a RH 6.0 system.
>
> Thanks!
> -jeremy

Hi Jeremy,
     I assume that ldapns means ldap name switch service from PADL. if so
you will aslo need the pam_ldap from PADL. They work together.

SOme things to note, yhis is not a fuill how to just some sticky bits:
1: people you want to use the Names Switch service must be posixaccounts
with valid home directories, uid, gid and shell values. You can chek by
trying to finger the user. ie:
finger fred
Should show fred's unix like details as if fred has an entry in the
/etc/passwd database. This does not mean that fred can authenitcate, only
that the account details as relating to unix are available for Fred from
the ldap server.
THis does however indicate that the search base is ok. There seems to be a
problem with the search base with the openldap server set ( all so far )
where occasionaly setting it too close to where the users reside does not
show them. if in doubt set the search base to the base of your service as
configured in slapd.conf.

2: pam_ldap! the pam file for the login service should look something
like:
#%PAM-1.0
auth       required /lib/security/pam_securetty.so
auth       sufficient /lib/security/pam_ldap.so
auth       required /lib/security/pam_pwdb.so shadow nullok use_first_pass

account       sufficient /lib/security/pam_ldap.so
account    required /lib/security/pam_pwdb.so
password   required /lib/security/pam_cracklib.so
password       required /lib/security/pam_ldap.so use_authtok
session    required /lib/security/pam_pwdb.so

Note that the refence to the pam_ldap module occurs for the auth section
and account section and password section. It is neccessary for the auth
and account otherwise the pam system cannot correctly obtain details.

3:  Name Service Switch attributes and objectclasses. I am sure there is a
copy of file for this somewhere but just in case I will attach mine. I
"include" these in slapd.conf, I appologise for the attachments but they
are small and it could same someone some typeing. THese are the ones I use
as I created from the rfc. Someone may like to fix things they don't like.

I hope this helps,
    Cheers,
          Gerrit Thomson.

attribute uidNumber cis
attribute gidNumber cis 
attribute gecos	cis
attribute HomeDirectory 	ces
attribute loginShell	ces
attribute shadowLastChange	cis
attribute shadowMin	cis
attribute shadowMax	cis
attribute shadowWarning 	cis
attribute shadowInactive cis
attribute sahdowExpire	cis
attribute shadowFlag 	cis
attribute memberUid	ces
attribute memberNisNetgroup 	ces
attribute nisNetgroupTriple cis
attribute ipServicePort	cis 
attribute ipServiceProtocol	cis
attribute ipProtocolNumber	cis
attribute oncRpcNumber	cis 
attribute ipHostNumber	cis
attribute ipNetworkNumber	cis
attribute ipNetmaskNumber 	cis
attribute MacAddress	cis 
attribute bootParameter	cis
attribute bootFile 	ces
attribute nisMapName 	cis
attribute nisMapEntry	ces

objectclass posixAccount
	requires
		objectclass,
		cn,
		uid,
		uidNumber,
		gidNumber,
		homeDirectory
	allows
		userPassword,
		loginShell,
		gecos,
		description


objectclass shadowAccount
	requires
		uidnumber
	allows
		userPAssword,
		shadowLastChange,
		shadowMin,
                shadowMax,
		shadowWarning,
		shadowInactive,
                shadowExpire,
		shadowFlag,
		description
	
objectclass posixGroup
	requires
		cn,
		gidNumber
	allows
		 userPassword,
		 memberUid,	
		 description	

objectclass ipService
	requires
		cn,
		ipServicePort,
		ipServiceProtocol
	allows
		description

objectclass ipProtocol
	requires
		cn,
		ipProtocolNumber,
		description
	allows
		description

objectclass ipHost
	requires
		cn,
		ipHostNumber
	allows
		description,
		manager

objectclass ipNetwork
	requires
		cn,
		ipNetworkNumber
	allows
		ipNetmaskNumber,
		l,
		description,
		manager


objectclass oncRpc
	requires
		cn,
		oncRpcNumber,
		description
	allows
		decsription

objectclass nisNetgroup
	requires
		cn
	allows
		nisNetgroupTriple,
		memberNisNetgroup,
		description


objectclass nisMap
	requires
		nisMapName
	allows
		description



objectclass nisObject
	requires
		cn,
		nisMapEntry,
		nisMapName
	allows
		description




objectclass ieee802Device
	requires
		macAddress

objectclass bootableDevice
	allows
		bootFile,
		bootParameter

References:
- problem authenticating using pam
  - From: <jeremy@xxedgexx.com>

Prev by Date: RE: problem authenticating using pam
Next by Date: RE: problem authenticating using pam
Index(es):
- Chronological
- Thread