[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Linux user authentication and shaodw passwords

Em Tue, May 30, 2000 at 02:26:08PM -0500, nwiebe@lynxgl.com escreveu:
> Hi,
>   I'm having a _really_ hard time finding any sort of complete docs on how
> to get linux (rh6.2) to authenticate to an openldap 1.2.9-6 server running
> on the same computer.  I've migrated /etc/*, and 'ldapsearch -d 5 -L
> "(objectclass=*)"' returns a whole mess of stuff, but the passwords don't
> seem to have migrated properly.  I have 'auth sufficient
> /lib/security/pam_ldap.so' in /etc/pam.d/login, and I get prompted for a
> LDAP password, but it dosen't matter what I type in for the LDAP password,
> the system just authenticates agains't the normal unix passwd.

Have you configured /etc/ldap.conf? Have you got nss_ldap as well?
And do you have ldap in your passwd:, shadow: and group: entries in
You could try out our patched authconfig in ftp://ftp.conectiva.com.br 
in the EXPERIMENTAL/ldap directory, it just doesn't modify your /etc/pam.d/*
files yet.

Check if the following works:
ldapsearch uid=root
(or put any login name there instead of root). This assumes you have
configured your /etc/openldap/ldap.conf file, or you will have to use
-h localhost -b your-base-suffix with ldapsearch.

Your /etc/pam.d/login should read something like:
auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_unix.so shadow nullok md5 use_authtok
auth       required     /lib/security/pam_ldap.so use_first_pass
account    sufficient	/lib/security/pam_unix.so
account    required     /lib/security/pam_ldap.so
password   required	/lib/security/pam_cracklib.so
password   sufficient	/lib/security/pam_unix.so nullok use_authtok md5 shadow
password   required     /lib/security/pam_ldap.so use_first_pass
session    required	/lib/security/pam_console.so
session    sufficient	/lib/security/pam_unix.so
session    required	/lib/security/pam_ldap.so

This setup tries local auth, and, if it doesn't work, it tries the LDAP
server configured in /etc/ldap.conf, failing if not getting a correct auth.
I'm still in doubt about the pam_console.so part, though.

>   Also, if I add a new user to the system, how does that new user get
> added to the ldap database?  

He doesn't. You have to write scripts to do that. Or, you could use ldapconf
(www.terminator.net). It's alpha, but some parts work. If you add an user
using linuxconf (ldapconf is a module for linuxconf), it will update the LDAP
I've written some scripts to add and remove users. If you want, I can send them
to you. They are not perfect (and they are in pt_BR, sorry), but they can give you
an idea about how this works.

> pointers to docs would be much appreciated.

RedHat has an article, but they don't show how to configure/use pam_ldap, just
nss, which you should also have installed if you don't want any user info in
your /etc/* files.

Andreas Hasenack
BIG Linux user!