[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
problem using OpenLDAP, PAM, and Apache on Linux
I am trying to use OpenLDAP as an authentication mechanism
for Apache using PAM. I am using pam_ldap-46 and
mod_auth_pam-1.0a on a RedHat6.0 box. When I try to access
the directory requiring group authentication I get a simple
authentication failure. I think it may have to do with the
use or lack of password encryption in the configuration, but I'm not
sure. Do I need to encrypt userPassword somehow?
I tried to have my objectclasses as compliant with RFC 2307
as I thought neccesary. It may not be enough.
I also compiled and installed the nss_ldap library, which the
pam_ldap README seemed to suggest was neccesary. But I'm not
sure.
Some of my configs and the debug from slapd are at the
end of this email. I tried to login with uid:90 and
password:foobar. I'm not quite sure how to read the debug.
Any assistance would be greatly appriciated. Is this a
configuration problem or something else?
Anyone know what objectclass=REFERRAL is?
Thanks.
-Steve Maring
Tampa, FL
<.htaccess in web directory>
AuthPAM_Enabled on
AuthPAM_FallThrough off
AuthType Basic
AuthName "members"
require group webpeople
</etc/ldap.conf>
host 127.0.0.1
base o=Keystone Bluffs,c=US
ldap_version 2
crypt md5
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_groupdn cn=webpeople,ou=groups,o=Keystone Bluffs,c=US
pam_member_attribute memberuid
pam_crypt local
</etc/pam.d/httpd>
auth required /lib/security/pam_ldap.so.1
account required /lib/security/pam_ldap.so.1
</usr/local/openldap/etc/openldap/slapd.oc.conf>
objectclass home
requires
objectClass,
cn,
lot
allows
streetAddress,
telephoneNumber,
lastLogin,
totalLogins,
resident
objectclass resident
requires
objectClass,
cn,
lot
allows
sn,
givenName,
mail,
photo
objectclass posixAccount
requires
objectClass,
uid,
gidnumber,
userPassword
objectclass posixGroup
requires
objectClass,
cn,
gidnumber
allows
memberuid
<LDIF from LDAP>
dn: o=Keystone Bluffs,c=US
o: KeystoneBluffs
ojbectClass: organization
dn: ou=home,o=Keystone Bluffs,c=US
ou: home
objectClass: organizationalUnit
dn: ou=resident,o=Keystone Bluffs,c=US
ou: resident
objectClass: organizationalUnit
dn: ou=groups,o=Keystone Bluffs,c=US
ou: groups
objectclass: organizationalUnit
dn: cn=webpeople,ou=groups,o=Keystone Bluffs,c=US
cn: webpeople
objectclass: posixGroup
gidnumber: 1000
memberuid: 90
dn: cn=Lot 90,ou=home,o=Keystone Bluffs,c=US
cn: Lot 90
lot: 90
objectClass: home
objectclass: posixAccount
uid: 90
gidnumber: 1000
streetAddress: 503 Bridle Path Way
telephoneNumber: 727-939-1710
userPassword: foobar
resident: cn=Steve Maring,lot=90,dc=keystonebluffs,dc=org
dn: cn=Steve Maring,ou=resident,o=Keystone Bluffs,c=US
cn: Steve Maring
lot: 90
objectClass: resident
sn: Maring
givenName: Steve
mail: smaring@linuxstart.com
<debug from slapd during the request>
do_bind
do_bind: version 2 dn () method 128
send_ldap_result 0::
do_search
using base "O=TRC,C=US"
subtree_candidates: base: "O=TRC,C=US" lookupbase
dn2entry_r: dn: "O=TRC,C=US"
=> dn2id( "O=TRC,C=US" )
====> cache_find_entry_dn2id: found dn: O=TRC,C=US
<= dn2id 1 (in cache)
=> id2entry_r( 1 )
====> cache_find_entry_dn2id: found id: 1 rw: 0
<= id2entry_r 0x80853b8 (cache)
====> cache_return_entry_r
=> filter_candidates
=> list_candidates 0xa1
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "objectclass" "=" "REFERRAL" )
=> ldbm_cache_open( "/data/ldap/objectclass.dbb", 7, 600 )
<= ldbm_cache_open (cache 2)
<= index_read 0 candidates
<= ava_candidates 0
<= filter_candidates 0
=> filter_candidates
=> list_candidates 0xa0
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "objectclass" "=" "POSIXACCOUNT" )
=> ldbm_cache_open( "/data/ldap/objectclass.dbb", 7, 600 )
<= ldbm_cache_open (cache 2)
<= index_read 2 candidates
<= ava_candidates 2
<= filter_candidates 2
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "uid" "=" "SMARING" )
<= index_read 6 candidates (allids - not indexed)
<= ava_candidates 6
<= filter_candidates 6
<= list_candidates 2
<= filter_candidates 2
<= list_candidates 2
<= filter_candidates 2
=> id2entry_r( 4 )
====> cache_find_entry_dn2id: found id: 4 rw: 0
<= id2entry_r 0x80859c0 (cache)
====> cache_return_entry_r
=> id2entry_r( 5 )
=> ldbm_cache_open( "/data/ldap/id2entry.dbb", 7, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry 0x8085cc0
<= id2entry_r( 5 ) (disk)
=> send_search_entry (cn=Steve Maring,ou=webperson,o=TRC,c=US)
<= send_search_entry
====> cache_return_entry_r
send_ldap_result 0::
ber_get_next on fd 7 failed errno 0 (Success)
*** got 0 of 0 so far
do_unbind
do_bind
do_bind: version 2 dn (cn=Steve Maring,ou=webperson,o=TRC,c=US) method 128
dn2entry_r: dn: "CN=STEVE MARING,OU=WEBPERSON,O=TRC,C=US"
=> dn2id( "CN=STEVE MARING,OU=WEBPERSON,O=TRC,C=US" )
====> cache_find_entry_dn2id: found dn: CN=STEVE
MARING,OU=WEBPERSON,O=TRC,C=US
<= dn2id 5 (in cache)
=> id2entry_r( 5 )
====> cache_find_entry_dn2id: found id: 5 rw: 0
<= id2entry_r 0x8085cc0 (cache)
====> cache_return_entry_r
do_bind: bound "cn=Steve Maring,ou=webperson,o=TRC,c=US" to "cn=Steve
Maring,ou=webperson,o=TRC,c=US"
send_ldap_result 0::
do_compare
dn2entry_r: dn: "CN=WEBPEOPLE,OU=GROUPS,O=TRC,C=US"
=> dn2id( "CN=WEBPEOPLE,OU=GROUPS,O=TRC,C=US" )
====> cache_find_entry_dn2id: found dn: CN=WEBPEOPLE,OU=GROUPS,O=TRC,C=US
<= dn2id 4 (in cache)
=> id2entry_r( 4 )
====> cache_find_entry_dn2id: found id: 4 rw: 0
<= id2entry_r 0x80859c0 (cache)
send_ldap_result 5::
====> cache_return_entry_r
ber_get_next on fd 11 failed errno 0 (Success)
*** got 0 of 0 so far
do_unbind